At the end of my diary entry "(Lazy) Sunday Maldoc Analysis", I wrote that there was something unusal about this document. Let's take a look at the content of the file and compare that with the file size: A rough estimate: the total size of the streams is 120 kB. While the file size is around 10 MB. That's a huge difference! In such cases, I take a look with olemap: Here I can see that there is extra data appended to the file (position 0x25400) and it's about 10 MB in size. Extracting the appended data and calculating some statistics gives me: This tells me there's about 10 MB of 0x00 bytes appended. Was this done by the malware authors? Or did it happen later, during transmission or storage? I don't know. Maybe it was done to bypass scanning, for example when there is a size-limit for files to be scanned. Just speculating ... Please post a comment if you have an idea.
Didier Stevens |
DidierStevens 639 Posts ISC Handler Dec 14th 2019 |
Thread locked Subscribe |
Dec 14th 2019 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!