Didier Stevens

Monday 28 December 2015

Maldoc GET Range

Filed under: maldoc,Malware — Didier Stevens @ 13:06

I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“.

I analyzed a malicious document (365a04140b3abe71c6cb4248d5bbbb57a172f37fe878eec49dc90745f5c37ae3) that does something I hadn’t seen done before in VBS.

This maldoc drops a VBS script, that proceeds to download an executable. The PE file is XOR-encoded and embedded in a valid JPEG file. Here is the image:

20151228-135434

Look at the obfuscated code:

20151228-135746

Notice SetRequestHeader: This code is using HTTP and is adding something to the headers. Here is the deobfuscated code:

20151228-140004

This code is downloading a picture (wp.jpg), but not the complete picture. It sets a header (Range: bytes=28141-) to download only the XOR-encoded PE file hidden in the JPEG image.

 

5 Comments »

  1. Looks like the main page is now defaced by isis skidies.
    with pretty interesting content dropping malware svhost.exe.
    Do not use windows when connecting

    Comment by Anonymous — Tuesday 29 December 2015 @ 6:14

  2. Hi Dider,

    Great blog, we’ve referenced you in our new blog on the same macro technique at http://blogs.websense.com/security-labs/range-technique-permits-ursnif-jump-your-machine

    Nick

    Comment by Nick Griffin — Monday 11 January 2016 @ 9:16

  3. […] Maldoc GET Range […]

    Pingback by Overview of Content Published In December | Didier Stevens — Wednesday 20 January 2016 @ 17:58

  4. This seems similar to stuff i talked about at Kiwicon in early dec 2015 – https://www.kiwicon.org/the-con/talks/#e206 . Slides aren’t widely available but feel free to ask me on twitter (@secvalve). The technique’s been feasible for ~15 years, i’m curious how old it’s usage in the wild is.

    Comment by Kate Pearce — Wednesday 11 May 2016 @ 8:02

  5. It was the first time I saw it in maldocs when I posted this.

    Comment by Didier Stevens — Thursday 12 May 2016 @ 5:56


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: