logo
  • About
  • Contact
  • Hall of fame

Categories

  • Alerts and warnings
  • BU Safe
  • Hit by ransomware?
  • Incident handling
  • News

Noticed a problem?

Report an Incident
–or–

Recent Posts

  • Google Confirms 75 Zero-Day Attacks: Phones And Browsers Were Targeted
  • Mitre warns over lapse in CVE coverage
  • Over 200 Million Records Allegedly Belonging to X Leaked Online
  • Catastrophic hack of AT&T and Verizon is proof Apple is right about iPhone encryption
  • Apple Vision Pro Vulnerability Exposed Virtual Keyboard Inputs to Attackers

Video

https://www.youtube.com/watch?v=wMsHDH67eb4

RSS NVD Data Feed

RSS CERT-EU News Feed

Information

  • Privacy & Cookies Policy

Finding The Original Maldoc

Posted on 31 August 2020

From isc.sans.edu

Xavier wrote about a “Malicious Excel Sheet with a NULL VT Score” and I showed how to extract the VBA code from the maldoc cleaned by AV.

How can one find back the original maldoc? By using a unique identifier as search term.

In the cleaned maldoc, the PROJECT stream was still present. As I explained in previous diary entry, the VBA project is password protected. The password is stored as a salted SHA1, encoded, and set as the value of DPB:

Read more…

Posted in News

Post navigation

Previous post: Trickbot rdpscanDll – Transforming Candidate Credentials for Brute-Forcing RDP Servers
Next post: PracticalProcesser is a potentially unwanted application that can track your personal information
BU CERT
Authorized to use CERT(TM) - CERT is a mark owned by Carnegie
Mellon University

Other CERTs

  • National Cyber Security Centre
  • US-CERT
Proudly powered by WordPress | Theme: bu-cert by Nan Jiang.