After a quick and dirty analysis and a “slow and clean” analysis of a malicious document, we can integrate the Python decoder function into a plugin: the plugin_dridex.py
First we add function IpkfHKQ2Sd to the plugin. The function uses the array module, so we need to import it (line 30):
Then we can add the IpkfHKQ2Sd function (line 152):
And then we can add function IpkfHKQ2Sd to the list in line 217:
This is the code that tries different decoding functions that take 2 arguments: a secret and a key.
I also added code (from plugin_http_heuristics) to support Chr concatenations:
The result is that the plugin can now extract the URLs from this sample:
Download:
oledump_V0_0_19.zip (https)
MD5: DBE32C21C564DB8467D0064A7D4D92BC
SHA256: 7F8DCAA2DE9BB525FB967B7AEB2F9B06AEB5F9D60357D7B3D14DEFCB12FD3F94
Didier Stevens 