Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: When DOSfuscation Helps... - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
When DOSfuscation Helps...

An anonymous reader submitted a malicious document after Brad posted his diary entry "One Emotet infection leads to three follow-up malware infections".

This sample (MD5 dfff3a02e6e6a4d079c12f83dcc2f7a5) is a malicious Word document with VBA macros to launch a powershell command.

The command is "DOSfuscated", and when I analyzed it by extracting strings and contatenating them, I encountered a small problem.

In this video, you can see how I did the complete analysis:


Didier Stevens
Senior handler
Microsoft MVP


649 Posts
ISC Handler
Sep 30th 2018
Thank you Didier, great work, i´m learning a lot

69 Posts
Very neat post. I did some similar de-obfuscation recently:

Sign Up for Free or Log In to start participating in the conversation!