A reader asked what the &H?? strings were in the malware I analyzed in my last diary entry. These are numbers in VBA written in hexadecimal. For analysis, these numbers can be easily extracted with my re-search.py tool and then converted to binary with hex-to-bin.py. With regular expression "&H..", we can extract all strings starting with &H followed by 2 characters: When we use a capture group (), re-search will output the capture group in stead of the full matched string: And then we can convert the hexadecimal digits to their binary values: In this HTA document, the malware authors tried to obfuscated strings like MSXML2.DOMDocument.3.0 that are used in AV signatures and other detection tools.
Didier Stevens |
DidierStevens 649 Posts ISC Handler Feb 5th 2018 |
Thread locked Subscribe |
Feb 5th 2018 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!