Concerned About Your Business Cyber Security?

(877) 321--7374

Maldoc Submitted and Analyzed, (Sat, Jul 29th)

Reader Jason submitted a malicious document he received via email. Although it contains VBA code with string obfuscation that is not too complex, it has a very low VirusTotal detection score.

Let width:867px” />

The for loop and the Chr$, Asc and Mid functions are clear indications that function sierra is a decoding function.

Let width:867px” />

And here we see a call to function sierra with 2 long strings which is executed when the document is closed. One string looks like encoded text, and the second string is a chain of digits. The decoding is actually simple. From each character in the first string, we substract the digit in the second string: f – 3 = c, n – 1 = m, g – 3 = d, … That spells out as cmd…

It width:867px” />

The payload uses command waitfor /t 3 hUZM width:867px” />

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Ready For ASuperheroI.T. Solution?

Real Time Web Analytics