Didier Stevens

Monday 28 December 2015

Maldoc GET Range

Filed under: maldoc,Malware — Didier Stevens @ 13:06

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

I analyzed a malicious document (365a04140b3abe71c6cb4248d5bbbb57a172f37fe878eec49dc90745f5c37ae3) that does something I hadn’t seen done before in VBS.

This maldoc drops a VBS script, that proceeds to download an executable. The PE file is XOR-encoded and embedded in a valid JPEG file. Here is the image:


Look at the obfuscated code:


Notice SetRequestHeader: This code is using HTTP and is adding something to the headers. Here is the deobfuscated code:


This code is downloading a picture (wp.jpg), but not the complete picture. It sets a header (Range: bytes=28141-) to download only the XOR-encoded PE file hidden in the JPEG image.



  1. Looks like the main page is now defaced by isis skidies.
    with pretty interesting content dropping malware svhost.exe.
    Do not use windows when connecting

    Comment by Anonymous — Tuesday 29 December 2015 @ 6:14

  2. Hi Dider,

    Great blog, we’ve referenced you in our new blog on the same macro technique at http://blogs.websense.com/security-labs/range-technique-permits-ursnif-jump-your-machine


    Comment by Nick Griffin — Monday 11 January 2016 @ 9:16

  3. […] Maldoc GET Range […]

    Pingback by Overview of Content Published In December | Didier Stevens — Wednesday 20 January 2016 @ 17:58

  4. This seems similar to stuff i talked about at Kiwicon in early dec 2015 – https://www.kiwicon.org/the-con/talks/#e206 . Slides aren’t widely available but feel free to ask me on twitter (@secvalve). The technique’s been feasible for ~15 years, i’m curious how old it’s usage in the wild is.

    Comment by Kate Pearce — Wednesday 11 May 2016 @ 8:02

  5. It was the first time I saw it in maldocs when I posted this.

    Comment by Didier Stevens — Thursday 12 May 2016 @ 5:56

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.