Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: TriJklcj2HIUCheDES decryption failed? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
TriJklcj2HIUCheDES decryption failed?

I received a malicious Word document with detections on VirusTotal, but it does not exhibit malicious behavior in a sandbox.

That's because it's buggy:

The malware author must have executed a search and replace for string "pl" by string "Jklcj2HIUCh" to obfuscate the function and variable names a bit, without noticing "unwanted" replacements leading to the corruption of the TripleDES COM object name.

The dropped payload is an .inf file that downloads a scriptlet:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

289 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!