Hello, welcome to the Friday, August 11th, 2017 edition of the Sandtonet Stormsenders Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

We've got a great new diary today by DDA. DDA is talking about how to analyze one of the more complex

MOTT-MELDoc samples that we received lately, and thanks

also, of course, to our readers that keep us supplied with interesting malware. In this particular

case, the first hurdle was that there was in the document zipIP file, but it was encrypted.

So standard techniques to extract the content of that SIP file didn't really work.

So DDA shows how to use SIPDump in conjunction with OliDump in order to extract this malicious

file from the particular document. And then the next hurdle was from the particular document.

And then the next hurdle was that the visual basic script was heavily obfuscated.

And the DDA did try to use Viper Monkey, but it didn't work out of the box.

He had to use the special alternate parameter in order to make it work.

Viper Monkey is a pretty interesting tool.

There's a lot of malicious visual basic scripts out there.

Of course, they're all obfuscated and make it difficult to analyze them.

So what you really need to do is you need to essentially run the visual basic script.

That's usually the easiest way to de-obuscate them.

But if you don't want to run it in the actual VIRT Visual Basic,

what you can do is you can use Viper Monkey, which emulates the Visual Basic parser.

As any emulation, it's not perfect.

And this particular case, the A4 alternative parameter made it work well enough in order

to decode this particular macro.

...