Hello, welcome to the Tuesday, March 22nd, 22nd, 22 edition of the Sands and the Stormsendors Stormcast.

My name is Johannes Ulrich, and then I'm recording from Jacksonville, Florida.

Now, if you are into reverse engineering malware, you must read the DA's diary.

It has a pretty simple title, a maldoc cleaned

by antivirus, but really it turns out to be a deep dive into some of the file structures involved

with office documents. So the problem here was that a document was recovered that was very likely malicious,

but antivirus already modified and essentially removed the malicious part of the document.

At least that's sort of what it looked like. The antivirus in question here being Kersperski and what the DEA then attempted

to do is trying to recover the malicious code, which of course is interesting because he still

want to know what this particular piece of Malver may have done if it would have been able

to run. It may have, for example, run on a different workstation

with different antivirus that didn't catch it.

And then you may want to know

what are some of the indicators of compromise or such

that you should be looking for.

Now, the deep dive here into the document formats

essentially shows how Kasperski didn't actually

overwrite the malicious code. It just truncated the respective stream and well, by actually

modifying the file structures, you're able to recover and analyze that truncated stream.

Very interesting analysis, and like I said,

really the good part here is it goes into all the little details

of these file structures and how to manipulate them.

...