Maldoc Analysis with ViperMonkey, (Thu, Aug 10th)

We received another Emotet maldoc, but this time the analysis with VBA emulator ViperMonkey will have to be done differently.

ViperMonkey is still under development, and for this maldoc, it does not manage to execute the code that reveals the base64 payload. But when we use ViperMonkeys option -a to use an alternate parser, we can extract the base64 payload.

The maldoc was delivered inside a password protected ZIP file.

This time, I made a video of the static analysis process:

Didier Stevens
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

No comments yet.

Leave a Reply

Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 822,742 bad guys.