A "Stream O" Maldoc

Published: 2019-07-05
Last Updated: 2019-07-05 23:08:42 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Reader Robert submitted a malicious document. It just happens to be a maldoc with the payload hidden in a user form, as discussed in diary entry "Maldoc: Payloads in User Forms" last weekend.

I'm using plugin plugin_stream_o to view the payload.

This output is more user-friendly: it's a XLS/XLST file with malicious JScript: a downloader:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

0 comment(s)

Comments


Diary Archives