|
I received a malicious Word document with detections on VirusTotal, but it does not exhibit malicious behavior in a sandbox.
That's because it's buggy:
The malware author must have executed a search and replace for string "pl" by string "Jklcj2HIUCh" to obfuscate the function and variable names a bit, without noticing "unwanted" replacements leading to the corruption of the TripleDES COM object name. The dropped payload is an .inf file that downloads a scriptlet:
Didier Stevens |
DidierStevens 652 Posts ISC Handler Nov 2nd 2018 |
| Thread locked Subscribe |
Nov 2nd 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
