I think it's a good idea to highlight VirusTotal's Email Submission feature, as I recently had to point this out to a couple of people.

In stead of using the VirusTotal's web interface or API, one can also send an email to [email protected] with the file to be scanned in attach (don't exceed 32MB) and subject SCAN (requesting plaintext report) or SCAN+XML (requesting XML report).

I usually get a reply after a couple of minutes. If I don't get a reply, it usually means that my attachment was detected and blocked by the email server I'm using, and that it never reached VirusTotal.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

At the end of my diary entry "(Lazy) Sunday Maldoc Analysis", I wrote that there was something unusal about this document.

Let's take a look at the content of the file and compare that with the file size:

A rough estimate: the total size of the streams is 120 kB. While the file size is around 10 MB. That's a huge difference!

In such cases, I take a look with olemap:

Here I can see that there is extra data appended to the file (position 0x25400) and it's about 10 MB in size.

Extracting the appended data and calculating some statistics gives me:

This tells me there's about 10 MB of 0x00 bytes appended.

Was this done by the malware authors? Or did it happen later, during transmission or storage?

I don't know.

Maybe it was done to bypass scanning, for example when there is a size-limit for files to be scanned. Just speculating ...

Please post a comment if you have an idea.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Internet Storm Center Infocon Status