Didier Stevens

Saturday 5 March 2016

Even More Obfuscated MIME Type Files

Filed under: maldoc,Malware,My Software,Update — Didier Stevens @ 9:45

Iā€™m providing a 2-day training at Brucon Spring Training 2016: ā€œAnalysing Malicious Documentsā€œ. Use promo-code SPRING16 for a 10% discount.

I received another maldoc sample (MD5 73D06B898E03395DA3D60D11E49751CC):

20160305-102423

Lines 2, 3, 6, 7 and 8 are there to obfuscate this MIME type file. emldump.py now detects all lines without a colon in the first block (all lines before the empty line 9: 1 – 8).

20160305-103000

You can filter out these lines with option -f:

20160305-103136

emldump_V0_0_8.zip (https)
MD5: B6FBAF2AB403AFE30F7C3D7CA166793B
SHA256: 7A7016B29F291C3D42B43D43B265DAD86B96DA519DB426163CC2D15C556896E3

Blog at WordPress.com.