728x90
A couple of days ago I received another malicious document (078409755.doc B28EF236D901A96CFEFF9A70562C9155). Unlike the XML file I wrote about before, this one does not contain VBA macros:
But as you can see, it should contain an embedded object. The base64 code found inside the XML object decodes to an OLE file. The single stream present in this OLE file contains ZLIB compressed data (identifiable via byte 0x78). Decompressing this ZLIB stream reveals another OLE file. Which in turn contains an embedded OLE object that turns out to be a VBS script:
And the base64 string in this VBS script is a PowerShell command:
728x90
'malware ' 카테고리의 다른 글
| CVE-2011-2461 (0) | 2015.04.01 |
|---|---|
| Baidu’s traffic hijacked to DDoS GitHub.com (0) | 2015.03.30 |
| THE OLD IS NEW, AGAIN. CVE-2011-2461 IS BACK! (0) | 2015.03.24 |
| Freshly Patched Flash Exploit Added to Nuclear Exploit Kit (0) | 2015.03.23 |
| CryptoWall 3.0 Ransomware Partners With FAREIT Spyware (0) | 2015.03.20 |