Video: Analysis of a multi-stage malware (doc -> vba -> jscript -> exe -> shellcode -> mapped exe -> iat rebuild)

This is the full analysis of a multi-stage malware.

Sample hashes:

MD5: A3BF316D225604AF6C74CCF6E2E34F41
SHA1: D20981637B1D9E99115BF6537226265502D3E716
SHA256: 00476789D901461F61BDF74020382F851765AFCD7622B54687CDA70425A91F86

This is the code I wrote for JavaScript deobfuscation. Make sure to insert the base64 encoded javascript payload before running it.

2 thoughts on “Video: Analysis of a multi-stage malware (doc -> vba -> jscript -> exe -> shellcode -> mapped exe -> iat rebuild)”

  1. Just wanted to say thanks for all the work you do. I wish had even a small portion of the knowledge you have learned. When I have time I will be pouring over your tools and especially your articles. I am sure I will learn a lot assuming I can piece it all together with my limited existing knowledge.

    Oh, yeah, the short version is just Thank you very much for sharing!

Leave a Reply to Erik Pistelli Cancel reply

Your email address will not be published. Required fields are marked *