ISC Stormcast For Monday, October 30th 2017 https://isc.sans.edu/podcastdetail.html?id=5732
Remember ACE files?
A reader submitted a malicious attachment:
We can see that this is an ACE file. I remember ACE files, it's an archive format that back in the days (2000) yielded higher compression ratios than RAR.
I found a Python library/tool to decompress ACE files: acefile.py. Looking in the source code, I notice it could read from stdin, and that I should be able to pipe the output of oledump into acefile. Unfortunately, this generated an error, and I had to extract the file to disk:
This .bat file is actually an executable:
Sample 3e58ec4fe08d93dd6ec20c7553519d47 was compiled with Visual Basic 6.0.
Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com
×
Diary Archives
Comments