Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Analyzing an HTA file: Update - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analyzing an HTA file: Update

A reader asked what the &H?? strings were in the malware I analyzed in my last diary entry. These are numbers in VBA written in hexadecimal.

For analysis, these numbers can be easily extracted with my tool and then converted to binary with

With regular expression "&H..", we can extract all strings starting with &H followed by 2 characters:

When we use a capture group (), re-search will output the capture group in stead of the full matched string:

And then we can convert the hexadecimal digits to their binary values:

In this HTA document, the malware authors tried to obfuscated strings like MSXML2.DOMDocument.3.0 that are used in AV signatures and other detection tools.



Didier Stevens
Microsoft MVP Consumer Security


649 Posts
ISC Handler
Feb 5th 2018

Sign Up for Free or Log In to start participating in the conversation!