Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Numeric obfuscation: another example - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Numeric obfuscation: another example

I favor static analysis, because I want to understand, step by step, what a malicious script is doing. But I will often also perform dynamic analysis of the same sample, to build a complete picture.

A Twitter follower asked about a more complex example of numeric obfuscation in malicious scripts. It's an arms race: obfuscation can be so complex, that you don't have enough time to perform static analysis. Dynamic analysis (or emulation) is the alternative.

The example of our Twitter follower however, is not too complex for static analysis + emulation: I will extract the algebraic expressions, and since they are identical in the VBA and Python language, I will evaluate them in Python.

As can be observed, does not yield the desired result in this example:

First with and regular expression \d+.\d+ I extract all expressions composed of two numbers and an operator:

Then I pass this on to, to evaluate these algebraic expressions in Python (using Python expression eval(line)):

And then I can use, but with option -n 1, because this tool looks for lines with 3 numbers at least (by default):

Finally, each line (e.g. character) is joined into a single line with


Didier Stevens
Senior handler
Microsoft MVP


649 Posts
ISC Handler
Aug 6th 2018

Sign Up for Free or Log In to start participating in the conversation!