I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.
I analyzed a malicious document (365a04140b3abe71c6cb4248d5bbbb57a172f37fe878eec49dc90745f5c37ae3) that does something I hadn’t seen done before in VBS.
This maldoc drops a VBS script, that proceeds to download an executable. The PE file is XOR-encoded and embedded in a valid JPEG file. Here is the image:
Look at the obfuscated code:
Notice SetRequestHeader: This code is using HTTP and is adding something to the headers. Here is the deobfuscated code:
This code is downloading a picture (wp.jpg), but not the complete picture. It sets a header (Range: bytes=28141-) to download only the XOR-encoded PE file hidden in the JPEG image.
Didier Stevens 