 Hello, DDS Tavens here, Senior Handler at the Internet Storm Center. Xavier wrote a diary entry about a malicious document with a good old equation editor for mobility. Something from years ago. 2017 is a CVE 11882. And Xavier recovers the URL through dynamic analysis. I have done analysis, static analysis of exploits like this. Where I explain in detail how all the pieces fit together. And then you can do the analysis. Here I'm going to do something else. Quick and dirty analysis of shellcode. So let's get started. So let's run odidump here on the sample. And as you can see, it contains a stream. Now let's select that stream odidump. So and yeah, there's nothing really recognizable. If we try to extract strings, we get nothing meaningful now. This here contains shellcode because it is an equation editor exploit. Now, a quick and easy method to detect a shellcode is to dump the binary data and pipe that into my XOR search tool. And use option W, uppercase W. This will apply a set of rules to try to figure out if the data that is being passed contains shellcode. And I have to provide a dash to tell it that the input is from standard in. Okay, so XOR search found to get IEIB methods that's typical of the 2-bit shellcode. Here at position 5C and it is not encoded. XOR0 means no encoding. And here another one, ROT12. Now this might be a false positive, but this is probably a real getEIB. So now we are going to emulate this with the shellcode emulator. So I'm going to dump this and write this to disk. And now I run the shellcode emulator. I provide the file as input stream odv. I give option find a C, find a shellcode. So to find the entry point of the shellcode. And then also to make a short report. Let's run this. And as you can see here, there are 6 potential entry points. And one of them, 5C is indeed what XOR search found. So let's take option 4 for 5C. And indeed this is shellcode. You see a getProc address for expandEnvironmentStringsW. And then it stops the analysis here because the shellcode emulator has little API hooks for unicode versions. But that's not a problem. Take a look at the analysis report. And here you can see sample decodes itself in memory. Use option D to dump. So let's do that. Let's run this again with option D to dump. Number 4 here. OK. It has been risen to disk. Let's take a look at what strings are inside. And here you can see all of the strings used by the shellcode, including the URL. For example also where it will write the file.