tag:blogger.com,1999:blog-9518042.post4728191937531285908..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: What It Looks Like: Disassembling A Malicious DocumentUnknownnoreply@blogger.comBlogger6125tag:blogger.com,1999:blog-9518042.post-69776989319712116052015-01-08T11:56:02.805-05:002015-01-08T11:56:02.805-05:00Thanks, Stacey,
Hopefully, this will show others ...Thanks, Stacey,<br /><br />Hopefully, this will show others how they can easily move beyond assumption and "...we think this is what happened..." to actually nailing things down a bit.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-84356429416951721492015-01-08T11:49:46.132-05:002015-01-08T11:49:46.132-05:00Very informative post. I have not previously decon...Very informative post. I have not previously deconstructed a file like this. Thank you for explaining your process.Stacey Randolphnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-27425572446212903772015-01-07T11:33:25.084-05:002015-01-07T11:33:25.084-05:00I would use Writer (OpenOffice).
Editing macros ...I would use Writer (OpenOffice). <br /><br />Editing macros is easy and gives you a quick look into the code behind the file.Harry McLarenhttps://www.blogger.com/profile/15204554044271521008noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-18223577877016535652015-01-06T17:07:42.163-05:002015-01-06T17:07:42.163-05:00Anonymous,
No, I hadn't, but thanks for the p...Anonymous,<br /><br />No, I hadn't, but thanks for the pointer. I did try it out...the only thing I didn't like is that I had downloaded the application and when I ran it, the vbaProject.bin file was place in another folder on another drive. The malicious file was on the D:\ drive, and when I ran officemalscanner, the vbaProject.bin file was copied to the C:\Users\user\AppData\Local\Temp\DecompressedMsOfficeDocument\ folder. When I then ran the tool against that vbaProject.bin, the macro was dumped to the folder on the D:\ drive.<br />H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-64813319930285708892015-01-06T16:26:16.812-05:002015-01-06T16:26:16.812-05:00I don't want to keep posting addendums, so I&#...I don't want to keep posting addendums, so I'll just add this link here:<br /><br />https://twitter.com/DidierStevens/status/552570723995488257<br /><br />Oledump.py by itself didn't work the first time or two...but it did after Didier's tweet.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-76393472486832293732015-01-06T16:25:13.077-05:002015-01-06T16:25:13.077-05:00OfficeMalScanner extracts macros pretty well, did ...OfficeMalScanner extracts macros pretty well, did you give it a shot? <br />Anonymousnoreply@blogger.com