Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Remember ACE files? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Remember ACE files?

Published: 2017-10-29
Last Updated: 2017-10-29 17:34:15 UTC
by Didier Stevens (Version: 1)
0 comment(s)

A reader submitted a malicious attachment:

We can see that this is an ACE file. I remember ACE files, it's an archive format that back in the days (2000) yielded higher compression ratios than RAR.

I found a Python library/tool to decompress ACE files: acefile.py. Looking in the source code, I notice it could read from stdin, and that I should be able to pipe the output of oledump into acefile. Unfortunately, this generated an error, and I had to extract the file to disk:

This .bat file is actually an executable:

Sample 3e58ec4fe08d93dd6ec20c7553519d47 was compiled with Visual Basic 6.0.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

Keywords: ace malware
0 comment(s)
Diary Archives