I was asked for help with the analysis of sample 7c9505f2c041ba588bed854258344c43. Turns out this malicious Word document has some anti-analysis tricks ( older diary entry with other anti-analysis tricks).

Here is the analysis with oledump.py:

Stream 8 contains VBA code. Searching for string object in the code, we find calls to CreateObject:

Notice the second call to CreateObject. The argument is a function call (a) with arguments that looks like an encoded string, and 2 numbers. Function a must be the decoding function. This time, in stead of spending time trying to understand how the decode function works and translating it to Python, I" />

As you can see I get an error because function lybAmIJ is not defined. This is to be expected. By just copying function a, I" />

This probably means that I" />

MsgBox is great for displaying the decoded string, but you can not copy the string. And it" />

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Internet Storm Center Infocon Status