Didier Stevens

Friday 6 November 2015

Analysis Of An Office Maldoc With Encrypted Payload (Slow And Clean)

Filed under: maldoc,Malware,My Software,Reverse Engineering — Didier Stevens @ 0:00

In my previous post we used VBA and Excel to decode the URL and the PE file.

In this  post we will use Python. I translated the VBA decoding function IpkfHKQ2Sd to Python:

20151105-223017

Now we can decode the URL using Python:

20151105-223901

And also decode the downloaded file with my translate program and the IpkfHKQ2Sd function:

20151105-224328

20151105-224636

 

3 Comments »

  1. […] a quick and dirty analysis and a “slow and clean” analysis of a malicious document, we can integrate the Python decoder function into a plugin: the […]

    Pingback by Stats for Analysis Of An Office Maldoc With Encrypted Payload: oledump plugin | Didier Stevens — Saturday 7 November 2015 @ 0:00

  2. […] used this in my “Analysis Of An Office Maldoc With Encrypted Payload (Slow And Clean)” […]

    Pingback by Update: translate.py V2.1.0 | Didier Stevens — Sunday 8 November 2015 @ 0:01

  3. […] Analysis Of An Office Maldoc With Encrypted Payload (Slow And Clean) […]

    Pingback by Overview of Content Published In November | Didier Stevens — Friday 11 December 2015 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.