Didier Stevens

Monday 31 July 2017

Update: translate.py Version 2.5.0

Filed under: maldoc,My Software,Update — Didier Stevens @ 20:17

I analyzed a malicious document send by a reader of the Internet Storm Center, and to decode the payload I wanted to use my tool translate.py.

But an option was lacking: I had to combine 2 byte streams to result in the decoded payload, while translate will only accept one byte stream (file, stdout, …).

I solved my problem with a small custom Python script, but then I updated translate.py to accept a second file/byte stream (option -2).

This is how I use it to decode the payload:


translate_v2_5_0.zip (https)
MD5: 768F895537F977EF858B4D82E0E4387C
SHA256: 5451BF8A58A04547BF1D328FC09EE8B5595C1247518115F439FC720A3436519F

Tuesday 18 July 2017

.ISO Files With Zone.Identifier

Filed under: maldoc,Malware — Didier Stevens @ 22:20

An .iso file downloaded from the Internet (thus with a Zone.Identifier ADS) opened in Windows 10 will not propagate this “mark-of-the-web” to the contained files.

Here is an example with file demo.iso, marked as downloaded from the Internet:

When this file is opened (double-clicked), it is mounted as a drive (E: in this example), and we see the content (a Word document: demo.docx):

This file is not marked as downloaded from the Internet:

Word does not open it in Protected View:

Monday 10 July 2017

Select Parent Process from VBA

Filed under: Forensics,Hacking,maldoc,Malware,My Software — Didier Stevens @ 0:00

Years ago I wrote a C program to create a new process with a chosen parent process: selectmyparent. And recently I showed what process monitor and system monitor report when you use this tool.

Starting a new process with a chosen parent process can be done from VBA too, as shown in this video (I’m not sharing the VBA code):

Thursday 6 July 2017

I Will Follow (no, not talking about social media)

Filed under: maldoc,Malware — Didier Stevens @ 20:54

I can’t help feeling some kind of satisfaction when a friend uses my tools to analyze malware, and hacks his way to a solution when my tool falls short 🙂

In this nice blogpost, @bluejay00 analyzes RTF malware with my rtfdump.py tool. But because of obfuscation, rtfdump.py is not able to extract the object. @bluejay00 understands this, deobfuscates the RTF sample with an editor, and is then able to get my tool to work correctly.

I’ll just show how I would have used my translate.py tool to remove the obfuscation:


Thursday 20 April 2017

Malicious Documents: The Matryoshka Edition

Filed under: maldoc,Malware,PDF — Didier Stevens @ 0:02

I must admit that I was (patiently) waiting for the type of malicious document I’m about to describe now. First I’m going to analyze this document with my tools, and after that I’m going to show you some of the mitigations put in place by Adobe and Microsoft.

Malicious document 123-148752488-reg-invoice.pdf is a PDF with an embedded file and JavaScript. Here is pdfid’s report:

As we can notice from this report, the PDF document contains /JavaScript and an /OpenAction to launch this JavaScript upon opening of the PDF file, and also an /EmbeddedFile.

pdf-parser.py searching for JavaScript (option -s javascript) reveals that the JavaScript is in object 5:

Object 5 contains JavaScript (option -o 5 to select object 5, and option -f to decompress the stream with JavaScript):

This script (this.exportDataObject) will save the embedded file (996502.docm) to a temporary file and launch the associated application (if MS Office is installed, Word will be launched). A .docm file is a Word document with macros.

So let’s search for this embedded file:

The embedded file is stored in object 3, as a compressed stream (/FlateDecode).

So let’s decompress and extract the file with pdf-parser: option -f to filter (decompress) and option -d to dump the content. Since I expect the embedded file to be a Word document with macros, I’m going to analyze it with oledump. So in stead of writing the embedded file to disk, I’m going to extract it to stdout (-d -) and pipe it into oledump:

oledump‘s report confirms that it is a Word document with macros. I’m not going to spend much time on the analysis of the VBA code, because the intent of the code becomes clear when we extract all the strings found in the VBA code. First we select and extract all VBA code (options -s a -v) and then we pipe this into re-search to produce a list of unique strings (enclosed in double quotes) with these options: -n str -u

One of the extracted strings contains 3 URLs separated by character V. The macros will download an XOR encoded EXE file from these sites, decode it and execute it.


The first mitigation is in Adobe Reader: the embedded .docm file will not be extracted and launched without user interaction. First the user is presented a dialog box:

Only when clicking OK (the default option), will the .docm file be extracted and launched. Remark that the maldoc authors use some weak social engineering to entice the user to click OK: see in 996502.

When opened in Word, macros will be disabled:

This next mitigation is put into place by Microsoft Word: macros are detected, and by default, they are not executed. Here we see a better attempt at social engineering the user into executing the macros.

You might have expected that this document would be opened in Protected View first. After all, the PDF document was e-mailed to the victims, and Outlook will mark the PDF with a mark-of-web when it is saved to disk:

But Adobe Reader will not propagate that mark-of-web of the PDF document to the extracted Word document (at least the version I tested, version XI). Without mark-of-web, Word will open the document without Protected View.

Another simple mitigation for this type of malicious document that you can put into place but that is not enabled by default, is to disable JavaScript in Adobe Reader.

Remark that these documents do not contain exploits: they just use scripting.

Tuesday 18 April 2017


Filed under: maldoc,Malware,Vulnerabilities — Didier Stevens @ 0:00

I have an analysis of a CVE-2017-0199 maldoc with my tools here, and produced 2 videos:

In the second video, I use nixawk‘s Metasploit module for cve-2017-0199 (not yet merged into the Metasploit GitHub repository at time of writing).

Friday 16 December 2016

Hancitor Maldoc Videos

Filed under: maldoc,Malware — Didier Stevens @ 0:00

I produced 4 videos covering the process hollowing maldoc “Maldoc With Process Hollowing Shellcode“.


Wednesday 2 November 2016

Maldoc With Process Hollowing Shellcode

Filed under: maldoc,Malware — Didier Stevens @ 0:00

Last week I came across a new Hancitor maldoc sample. This sample contains encoded shellcode that starts a new (suspended) explorer.exe process, injects its own code (an embedded, encoded exe) and executes it. This process hollowing technique bypasses application whitelisting.

This maldoc uses VBA macros (no surprise) to execute its payload.


The encoded shellcode is a property in stream 17:


I used my decoder.xls method to decode the shellcode (the name of the decoding function is apocope). And then Radare2 and my script to disassemble the shellcode (32-bit and 64-bit shellcode):


The shellcode uses WIN32 API functions like CreateProcess, ZwUnmapViewOfSection, GetThreadContext, ResumeThread, … to inject code into the newly created process (explorer.exe) and execute it. This method is called process hollowing or process replacement.

The explorer.exe process is created in a suspended state, the code for explorer.exe is removed, the code for the payload is injected, the context of the thread is updated and then the thread is resumed. This method bypasses application whitelisting, as explorer.exe is a whitelisted PE-file.

The payload is an PE-file (exe) embedded and encoded in the maldoc in stream 5. STARFALL is the string that indicates the start of the payload. The PE-file is encoded with base64 with each byte XORed with 15 and then 3 subtracted. This file can be detected and extracted with my decode-search.py tool:


This executable was not yet submitted to VirusTotal, most likely because it’s never written to disk. I did submit it: cdcd2ca36ed9a2b060dd4147bc5f7706.

This exe tries to download a payload from 3 URLs:


Friday 14 October 2016

Analyzing Office Maldocs With Decoder.xls

Filed under: maldoc,Malware,My Software — Didier Stevens @ 13:27

There are Office maldocs out there with some complex payload decoding algorithms. Sometimes I don’t have the time to convert the decoding routines to Python, and then I will use the VBA interpreter in Excel. But I have to be careful not to execute the payload, just decode it. In the following video, I show how I do this.

Tools: oledump.py, decoder.xls

Sample: 2f918f49c3f926bb1538eaad6e8e6883

Friday 7 October 2016

rtfdump Videos

Filed under: maldoc,My Software — Didier Stevens @ 10:05

I produced 3 videos to show you how to use my rtfdump.py tool to analyze (malicious) RTF files.

Here is a video for sample 07884483f95ae891845caf0d50ce507f:

Here is a video for sample 4483ad299158eb54f6ff58b5346a36ee:


Next Page »

Blog at WordPress.com.