I diary entry "Small Challenge: A Simple Word Maldoc - Part 2", we used my tool numbers-to-string.py to convert and decode the numbers in malicious VBA macro code to a BAT command.

This required still some analysis of the VBA code: we had to find the XOR key.

In this diary entry, I will show you how to use my tool XORSearch when you don't know the key. XORSearch is a tool (I wrote it in C) that will search for a string you provide while trying out different encodings (XOR, ADD, ...).

As it is likely that the command will contain a URL, we let XORSearch search for string http:

And you can see that a URL is found for XOR-encoding with key 0x6F (111 decimal).

I then use option -n 100 to view the complete command:

So this works: we don't have to figure out that the encoding is XOR with key 111, the tool does that for us. What we need to know though, is an idea of the encoded message: that it contains a URL.

And this made me think: how can I even more lower the amount of information needed, to be able to decode this? I realized that this BAT command is composed of printable ASCII characters. So that is our search criteria. XORSearch does not support this, and in stead of adding it to the C code for XORSearch, I decided to start a Python version of XORSearch (more on this later).

Here is how to use it:

Here we see different XOR keys, that all lead to a pure printable result. But only key 0x6F gives a BAT command.

And this is how to decode it:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com