Didier Stevens

Thursday 6 July 2017

I Will Follow (no, not talking about social media)

Filed under: maldoc,Malware — Didier Stevens @ 20:54

I can’t help feeling some kind of satisfaction when a friend uses my tools to analyze malware, and hacks his way to a solution when my tool falls short 🙂

In this nice blogpost, @bluejay00 analyzes RTF malware with my rtfdump.py tool. But because of obfuscation, rtfdump.py is not able to extract the object. @bluejay00 understands this, deobfuscates the RTF sample with an editor, and is then able to get my tool to work correctly.

I’ll just show how I would have used my translate.py tool to remove the obfuscation:

 

1 Comment »

  1. […] at Furoner.Cat analyses a maldoc.Didier Stevens then responds by showing how he would have achieved the same result. Analysis of “new” RTF […]

    Pingback by Week 27 – 2017 – This Week In 4n6 — Sunday 9 July 2017 @ 13:07


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: