Not very obfuscated malware code / 2016-09-29 - Koos van den Hout

2016-09-29 4 months ago
In the incoming spam I noticed some unsollicited attachments, always a sign of danger. In this case with excel files (application/ so I checked those with olevba, part of the oletools package.

And indeed there was macro code to be run at startup, with multiple warnings about suspicious behaviour, such as usage of "command" which can run PowerShell commands.

Having a look at the code showed very clearly that the macro was up to no good! I am used to quite interesting attempts at obfuscating macro code, so it was funny to see this bit with olevba:
Call Shell("rund" & "ll32.exe " & firmaVENIKOVNETUUUKA & ",qwerty", vbHide)
The url where the malware is downloaded was also quite readable in the macro.

Tags: , ,

, reachable as PGP encrypted e-mail preferred.

PGP key 2C66 3B5D F0D7 C263 local copy PGP key 2C66 3B5D F0D7 C263 via keyservers pgp key statistics for 0x2C663B5DF0D7C263 Koos van den Hout
Other webprojects: Camp Wireless, wireless Internet access at campsites, The Virtual Bookcase, book reviews, Weather maps
This page generated in 0.009328 seconds.