[SANS ISC] Strings Analysis: VBA & Excel4 Maldoc, (Sat, Sep 25th)

Malware analysis is difficult.

But there is one method that everybody can follow, even without command-line skills: strings analysis.

This method consists of running a tool on a binary file, like a maldoc, to extract all plaintext strings. There are command-line tools to do this, and even GUI tools.

Of course, there are many ways to make strings analysis impossible, by making the plaintext strings unreadable. Simple file compression is an example.

Xavier’s diary entry “Excel Recipe: Some VBA Code with a Touch of Excel4 Macro” malicious document uses a sophisticated method: it combines VBA and Excel 4 macros to download Qakbot. Despite this complexity, strings analysis can be performed on this maldoc to find the URLs.

I found a similar maldoc on VirusTotal (it’s also on Malware Bazaar).

For this diary entry, I will analyze this maldoc with CyberChef:

First step: I add the maldoc as input:

Second step: I search for the strings operation:

Third step: I add the strings operation to the recipe:

If I browse through the output, I will find the URLs. But I want to automate that too.

Fourth step: I search for the regex operation:

Last step: I add the regex operation to the recipe, and configure it to use the buildtin URL regex and output matches only:

Now, these URLs are actually incomplete. The maldoc’s script will add a path to these URLs that is a timestamp terminated with “.dat”.

But despite that, the IPv4 addresses we found here, are good IOCs to get started.


Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[SecurityWeek] U.S. Government Issues Urgent Warning on BlackMatter Ransomware

All posts, Security Week

The Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and the National Security Agency (NSA) this week published a joint advisory to warn organizations of an increased threat posed by the BlackMatter ransomware gang. read more Source: Read More (SecurityWeek RSS Feed)

Read More

[HackerNews] RedCurl Corporate Espionage Hackers Return With Updated Hacking Tools

All posts, HackerNews

A corporate cyber-espionage hacker group has resurfaced after a seven-month hiatus with new intrusions targeting four companies this year, including one of the largest wholesale stores in Russia, while simultaneously making tactical improvements to its toolset in an attempt to thwart analysis. “In every attack, the threat actor demonstrates extensive red teaming skills and the […]

Read More

[NCSC-FI News] Hakkerikollektiivi julistaa ”kyber­sodan” Venäjää vastaan

HAKKERIKOLLEKTIIVI Anonymous kertoo Twitterissä aloittaneensa ”kybersodan” Venäjää vastaan. Kampanjansa ensimmäisenä askeleena salamyhkäinen joukkio väittää kaataneensa Kremlin ja Venäjän puolustusministeriön verkkosivut sekä Venäjän valtion hallitseman RT-uutissivuston Sivustot olivat faktisesti lyhyen ajan alhaalla perjantaina, mutta mitään suoranaisia todisteita omasta osallisuudestaan hakkerikollektiivia usein edustava YourAnonOne-tili ei tarjonnut. Väitettyjen iskujensa syyksi hakkerit kertovat Ukrainan tukemisen Source: Read More (NCSC-FI […]

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.