Malicious Document delivering Dridex — analysis and emulation (part 1)

Harold Ogden
Jul 21 · 5 min read
Retrieving the .xlt payload from OLE Form text and writing it to disk
Retrieving the .xlt payload from OLE Form text and writing it to disk
Retrieving the .xlt payload from OLE Form text and writing it to disk:
wmic os get /format:"C:\Windows\Temp\aXwZvnt48.xsl"
Reassembly of command to execute xsl payload

First 20 variable names
Variable name lengths
Unused variables used as filler to add legitimacy to the macro code
Unused variables used as filler to add legitimacy to the macro code
Variable names and types, along with their assignment
Variable type distribution
Integer values being set
Long values being set
Boolean values being set
Comments

Dim \S+ as (Boolean|Long|Integer|String)|^’ .*|^a[a-zA-Z0–9]{4,8} = \S+$
Document map showing filler code
Legitimate code between the filler
Splash page embedded in the document

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade