Last Updated: 2017-08-10 21:07:38 UTC
by Didier Stevens (Version: 1)
ViperMonkey is still under development, and for this maldoc, it does not manage to execute the code that reveals the base64 payload. But when we use ViperMonkey's option -a to use an alternate parser, we can extract the base64 payload.
The maldoc was delivered inside a password protected ZIP file.
This time, I made a video of the static analysis process: