Maldoc With Decoy BASE64, (Fri, Sep 9th)

64-bit lookahead carry unit
64-bit lookahead carry unit

There is also a video for this analysis: “Maldoc Analysis: Rehearsed vs. Unrehearsed“.

I analysed this maldoc. It contains an old exploit for the equation editor. Nothing special. And it’s easy to analyze.

But there is one more thing: it contains a very long BASE64 string, 800,000+ characters, and it turns out to be a decoy.

The analysis doesn’t take long, with and the shellcode emulator scdbg.exe:

The stream with the shellcode is large (almost 1MB). And it contains a very long BASE64 string:

The decoded data has a very high entropy: 7.98… That’s like random data.

To determine if the BASE64 string is part of the exploit or not, I did remove it and emulated the payload again.

So I cut out the first 0x6E0 bytes of the stream, e.g., without that BASE64 string, and I run the shellcode emulator on it:

I achieve exactly the same result: that BASE64 string is not necessary for the shellcode execution.

And it’s not likely to be necessary for the downloaded EXE, as that is executed inside a new process, and the Excel process is killed at the end of the shellcode.

Didier Stevens
Senior handler
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Alex Post