Didier Stevens

Friday 6 November 2015

Analysis Of An Office Maldoc With Encrypted Payload (Slow And Clean)

Filed under: maldoc,Malware,My Software,Reverse Engineering — Didier Stevens @ 0:00

In my previous post we used VBA and Excel to decode the URL and the PE file.

In this  post we will use Python. I translated the VBA decoding function IpkfHKQ2Sd to Python:


Now we can decode the URL using Python:


And also decode the downloaded file with my translate program and the IpkfHKQ2Sd function:




Blog at WordPress.com.