Philippe Lagadec – decalage.info - @decalage2

More documents

Recommendations

Info

Vervet Monkey Picture published by Charlesjsharp under CC BY 3.0 license ViperMonkey • In practice: malware writers are very creative - impossible to deobfuscate every malware using specific code (oledump, olevba). • Other approaches : Sandboxing / “Detonation” (detectable) Convert VBA to VBS => run cscript.exe (risky) Custom VBA Parser + Emulation => ViperMonkey
ViperMonkey • Olevba alone: 1. Extract code 2. Specific deobfuscation algorithms 3. Detect suspicious strings 4. Extract IOCs (regex) • ViperMonkey: 1. Extract code 2. VBA Parser (pyparsing grammar) 3. Code logic model 4. Trace code execution, simulating the VBA engine 5. Extract interesting actions and parameters 6. Olevba analysis https://github.com/decalage2/ViperMonkey http://decalage.info/vba_emulation https://blog.nviso.be/2016/12/07/analyzing-an-office-maldoc-with-a-vba-emulator/
Page 1 and 2: Toulouse Hacking Convention 3 rd Ma
Page 3 and 4: Au menu Red Side • Malicious Macr
Page 5 and 6: What can a malicious macro do? •
Page 7 and 8: Sample VBA Dropper Private Declare
Page 9 and 10: Blue Side: Analysis
Page 11 and 12: olevba - extraction + analysis $ ./
Page 13: Services/Projects using olevba Vipe
Page 17 and 18: Other Analysis Techniques • Loffi
Page 19 and 20: Macro Detection & Prevention • Wh
Page 21 and 22: MicroRaptor Picture published by Co
Page 23 and 24: MacroRaptor applications Mraptor_mi
Page 25 and 26: Conclusion VBA Macros are still a v
Page 27 and 28: Extra Slides
Page 29 and 30: Obfuscation iKJINJdg = StrReverse(C
Page 31 and 32: MS Office File Formats with macros
Page 33 and 34: oledump • http://blog.didiersteve
Page 35 and 36: oledump - plugins $ ./oledump.py ~/
Page 37 and 38: ViperMonkey - hello world
Page 39 and 40: ViperMonkey - what next • Minimal

Philippe Lagadec – decalage.info - @decalage2

Create successful ePaper yourself

Delete template?

Save as template?