Last Updated: 2019-12-14 20:08:12 UTC
by Didier Stevens (Version: 1)
At the end of my diary entry "(Lazy) Sunday Maldoc Analysis", I wrote that there was something unusal about this document.
Let's take a look at the content of the file and compare that with the file size:
A rough estimate: the total size of the streams is 120 kB. While the file size is around 10 MB. That's a huge difference!
In such cases, I take a look with olemap:
Here I can see that there is extra data appended to the file (position 0x25400) and it's about 10 MB in size.
Extracting the appended data and calculating some statistics gives me:
This tells me there's about 10 MB of 0x00 bytes appended.
Was this done by the malware authors? Or did it happen later, during transmission or storage?
I don't know.
Maybe it was done to bypass scanning, for example when there is a size-limit for files to be scanned. Just speculating ...
Please post a comment if you have an idea.