Hello and welcome to the Thursday, June 15, 2020, edition of the Santonet Storms, Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today I would like to start out to thank all the Malver authors that keep coming up with

interesting obfuscation techniques for Didy to reverse.

Today, Didier is looking at an obfuscated visual basic script and shows how to, well,

use a combination of standard command line tools like starting out with grep and the like, and then quickly moving

to DDA's own public domain tools like REsearch.P.I and sets.P.I.2.

Then further manipulate the payload and reverse engineer it in order to obtain the de-obuscated script.

Pretty nice analysis and as usual highly recommended if this is the kind of work that you

like to do or have to do as part of your day job.

Researchers from the Rue University, Bohm, did publish a paper outlining some weaknesses

in the Microsoft Office Open Office XML signature.

Despite the name Open Office, Microsoft Office documents are created using the Open Office

XML standard, which, well, is a rather complex standard. If you ever looked at an office document,

it's usually a SIP file, actually, when you're looking at the dot-docx file, that contains a number

of different XML files.

The problem with these signatures is that they allow for only some of these files to be signed.

So an attacker, of course, may alter any files that are not signed, with that of course change the content that's

displayed to the user. For example, what fonts are being used is not typically part of the

signed parts. Changing fonts, of course, will easily then allow an attacker to change what's being displayed as

the user opens the document without actually alerting the user of a changed or broken signature.

There are various attack scenarios that are outlined in the paper too much to really adequately

...