Hello, welcome to the Wednesday, August 17, 2020 edition of the Sands and the Storm Center's

Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

Today we got yet another great post by DDA walking us through the analysis of a malicious office document.

D.D.E. uses his tool Olli D.D.A. to extract the visual basic for applications code,

but while as so often the code was heavily obfuscated, as part of the obfuscation, the script

calls multiplied to white char,

a function that allows conversion of bytes into characters by specifying and encoding.

Now, typically, you would find something like UTF8 or UTF 16, but not so.

Here, the attacker actually picked the rather ancient UTF7.

Back in the day, I remember disencoding sometimes led to the bypass of some cross-side scripting filters,

but here UTF7 is just used to full anti-malware tools to ignore and not being able to really figure out what's happening here.

Well, not so, of course, with the help of DDA.

DDA isn't fooled so easily, and he'll walk you through decoding these scripts.

The output is binary code, followed by some assembly source code, which actually doesn't

really make sense, and the Deere guesses that the assembly source code was just left by mistake.

Now, the shell code, DDE was able to analyze a 64-bit code,

and that finally revealed then a URL

that may be used to load additional code.

So pretty thorough walkthrough here of some interesting

and somewhat unusual sample.

And Microsoft recently went after a threat group that they're calling Cyborgium, and that is

likely aligned with Russian interests.

...