Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-05-15 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Another Maldoc? I'm Afraid So...

Published: 2015-05-15
Last Updated: 2015-05-15 09:35:25 UTC
by Didier Stevens (Version: 1)
3 comment(s)

Guess what? Yep, there's yet another type of malicious document going around. Like last time, it's a MIME file with an MSO file containing an OLE file.

The sample (schro_193B11.xls 7F8C5E8B7157B04FA8E9CEEF13C28AB9) is an Excel spreadsheet saved as a MIME file:

But this time, the compressed data is at another position inside the MSO file:

So I updated my oledump tool (V0.0.16) to search for compressed data inside MSO files (in stead of looking at a fixed position 50).

The string encoding used in the VBA code is interesting. It is reminiscent of RC4:

I also updated my plugin plugin_dridex with this encoding:

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: Excel maldoc MIME MSO OLE
3 comment(s)
ISC StormCast for Friday, May 15th 2015 http://isc.sans.edu/podcastdetail.html?id=4485
Diary Archives