Didier Stevens

Saturday 7 November 2015

Analysis Of An Office Maldoc With Encrypted Payload: oledump plugin

Filed under: maldoc,Malware,My Software,Reverse Engineering — Didier Stevens @ 0:00

After a quick and dirty analysis and a “slow and clean” analysis of a malicious document, we can integrate the Python decoder function into a plugin: the plugin_dridex.py

First we add function IpkfHKQ2Sd to the plugin. The function uses the array module, so we need to import it (line 30):

20151106-222710

Then we can add the IpkfHKQ2Sd function (line 152):

20151106-222928

And then we can add function IpkfHKQ2Sd to the list in line 217:

20151106-223132

This is the code that tries different decoding functions that take 2 arguments: a secret and a key.

I also added code (from plugin_http_heuristics) to support Chr concatenations:

20151106-223608

The result is that the plugin can now extract the URLs from this sample:

20151106-222050

Download:
oledump_V0_0_19.zip (https)
MD5: DBE32C21C564DB8467D0064A7D4D92BC
SHA256: 7F8DCAA2DE9BB525FB967B7AEB2F9B06AEB5F9D60357D7B3D14DEFCB12FD3F94

1 Comment »

  1. […] Analysis Of An Office Maldoc With Encrypted Payload: oledump plugin […]

    Pingback by Overview of Content Published In November | Didier Stevens — Friday 11 December 2015 @ 0:00


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.