|
An anonymous reader submitted a malicious document after Brad posted his diary entry "One Emotet infection leads to three follow-up malware infections". This sample (MD5 dfff3a02e6e6a4d079c12f83dcc2f7a5) is a malicious Word document with VBA macros to launch a powershell command. The command is "DOSfuscated", and when I analyzed it by extracting strings and contatenating them, I encountered a small problem. In this video, you can see how I did the complete analysis:
Didier Stevens |
DidierStevens 649 Posts ISC Handler Sep 30th 2018 |
| Thread locked Subscribe |
Sep 30th 2018 3 years ago |
|
Thank you Didier, great work, i´m learning a lot
|
Netmanzim 69 Posts |
| Quote |
Oct 1st 2018 3 years ago |
|
Very neat post. I did some similar de-obfuscation recently: https://0xdf.gitlab.io/2018/09/15/malware-analysis-bmw_of_sterlindoc.html
|
Anonymous |
| Quote |
Oct 1st 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
