Forensic Blogs

An aggregator for digital forensics blogs

January 8, 2015 by Didier Stevens

Didier Stevens Suite

I bundled most of my software in a ZIP file. In all modesty, I call it Didier Stevens Suite.


Read the original at: Didier StevensFiled Under: Digital Forensics Tagged With: My Software

December 24, 2014 by Didier Stevens

Update: oledump.py Version 0.0.5

A quick bugfix and a new feature.

oledump will now correctly handle OLE files with an empty storage. Here is an example with a malicious sample that blog readers reported to me:

20141224-185748

And when the OLE file contains a stream with VBA code, but this code is just a set of Attribute statements and nothing else, then the indicator will be a lowercase letter m instead of an uppercase letter M.

20141224-190354

This way, you can quickly identify interesting VBA streams to analyze.

oledump_V0_0_5.zip (https)
MD5: A712DCF508C2A0184F751B74FE7F513D
SHA256: E9106A87386CF8512467FDD8BB8B280210F6A52FCBACEEECB405425EFE5532D9


Read the original at: Didier StevensFiled Under: Uncategorized Tagged With: Malware, My Software, Update

December 22, 2014 by Didier Stevens

oledump: Extracting Embedded EXE From DOC

RECHNUNG_vom_18122014.doc (6a574342b3e4e44ae624f7606bd60efa) is a malicious Word document with VBA macros that extract and launch an embedded EXE.

This is nothing new, but I want to show you how you can analyze this document with oledump.py. I also have a video on my video blog.

First we have a look at the streams (I put the Word document inside a password (= infected) protected ZIP file to avoid AV interference, oledump can handle such files):

20141221-131242

Stream 7 contains VBA macros, let’s have a look:

20141221-131457

Subroutine v45 is automatically executed when the document is opened. It creates a temporary file, searches for string “1234” inside the text of the Word document (ActiveDocument.Range.Text), writes the encoded bytes following it to disk, and then executes it.

If you take a look at the content of the Word document (stream 14), you’ll see this:

20141221-131551

Following string “1234” you’ll see &H4d&H5a&h90…

&Hxx is the hexadecimal notation for a byte in VBA. It can be converted with function cbyte. We can also convert this sequence of hexadecimally encoded bytes using a decoder specially written for this. The decoder (written in Python) searchers for strings &Hxx with a regular expression, converts the xx hex values to characters and concatenates them into a string, which is returned to oledump.

#!/usr/bin/env python __description__ = '&H decoder for oledump.py' __author__ = 'Didier Stevens' __version__ = '0.0.1' __date__ = '2014/12/19' """ Source code put in public domain by Didier Stevens, no Copyright https://DidierStevens.com Use at your own risk History:   2014/12/19: start Todo: """ import re class cAmpersandHexDecoder(cDecoderParent):     name = '&H decoder'     def __init__(self, stream, options):         self.stream = stream         self.options = options         self.done = False     def Available(self):         return not self.done     def Decode(self):         decoded = ''.join([chr(int(s[2:], 16)) for s in re.compile('&H[0-9a-f]{2}', re.IGNORECASE).findall(self.stream)])         self.name = '&H decoder'         self.done = True         return decoded     def Name(self):         return self.name AddDecoder(cAmpersandHexDecoder)

This decoder allows us to analyze the embedded file with the following command: oledump.py -s 14 -D decoder_ah.py RECHNUNG_vom_18122014.doc.zip

20141221-131712

From the MZ and PE headers, you can identify it as a PE file. We can check this with pecheck like this:

oledump.py -s 14 -D decoder_ah.py -d RECHNUNG_vom_18122014.doc.zip | pecheck.py

20141221-131759

20141221-131833
oledump_V0_0_4.zip (https)
MD5: 8AD542ED672E45C45222E0A934033852
SHA256: F7B8E094F5A5B31280E0CDF11E394803A6DD932A74EDD3F2FF5EC6DF99CBA6EF


Read the original at: Didier StevensFiled Under: Uncategorized Tagged With: Malware, My Software

  • « Previous Page
  • 1
  • …
  • 144
  • 145
  • 146
  • 147
  • 148
  • Next Page »

About

This site aggregates posts from various digital forensics blogs. Feel free to take a look around, and make sure to visit the original sites.

  • Contact
  • Aggregated Sites

Suggest a Site

Know of a site we should add? Enter it below

Sending

Jump to Category

All content is copyright the respective author(s)