Hello and welcome to the Friday, March 17th, 2020,

edition of the Sands and at Storm Center's Stormcast. My name is Johannes Ulrich,

and today I'm recording from Jacksonville, Florida.

Today we got a great Malware Reverse Engineering diary from Xavier.

Xavier is writing about an Excel spreadsheet that he found.

The spreadsheet is mostly in Chinese, looks like some kind of invoice, and it's interesting

in that it uses, well, not a totally uncommon, but a little bit unusual these days, a way

of actually executing a code. It's not going

the normal macro route or such. Instead, it's using the relatively old now, but sadly still

used and sometimes effective equation editor vulnerability. Now, in order to exploit this vulnerability, we don't have

like visual basic or something like this in the Excel spreadsheet. Instead, we do have some

shell code, so essentially a bytecode. And Xavier walks you through how to analyze this type of code, how to get started, how to find it,

and then also how to run it through the shell code debugger, which I believe Xavier has written about before to actually figure out what's going on with this code and what it is trying to accomplish, which also

then points to the equation editor vulnerability as the actual exploit being used in order to

start this particular software. But you see, for example, also IP address and such that are

becoming pretty apparent as you're looking at this code.

The advantage, of course, is, well, you could just run this particular Excel spreadsheet,

but that's always a little bit risky.

You may also not have the right old version of Excel sitting around in order to quickly execute this particular piece of malware.

So sometimes it's safer and often also more conclusive if you're reverse analyzing the actual

code.

It's always easy to miss something if you're just executing the code because you may not trigger all the particular

...