 Hello, DJ Stevens here. I'm on holiday and that explains why I'm not shaven. Also today has been a lot of rain It's only now that the sun started to shine, but otherwise you would have heard the rain here in this room and This gave me the opportunity to do something that I wanted to do for quite some time And that is show you the very first analysis of a Maltok So the unscripted, unedited version of a malicious document analysis So I make a lot of videos on Maltok analysis and Before I start recording I have done the analysis of the document before so I know how to do the analysis I know what the outcome is and I've also rehearsed the commands so that I can make a smooth recording in one go Sometimes when I make fundamental mistakes, I will just start again the recording. I try as much as possible to leave editing Be and don't do anything Editing afterwards. So sometimes I do some very small editing, but that's rare Now what I did here was also make a recording of the very first time that I looked at the Maltok So I don't know anything about the Maltok. The only thing that now it's an XLSX file That's the only thing and so I start to do the analysis You will see that it's trial and error. It goes in different directions Some some of those directions don't end up in anything useful Also, there's no sound no narration, but I did add some captions that you know what I'm more or less doing and Also, you will see me see me make mistakes like for example, I Don't remember exactly some of the only dump Options that I don't use often. So I make mistakes and then I make typos I have to look in the documentation to be able to do the right command so that's how it goes in real life how the Malware analysis usually takes place It's it goes in different directions. It's it's trial and errors. We make mistakes But we finally try to end up with with the solution. So I hope you enjoy this So first the normal video might always make and then afterwards the very first look unrehearsed of the Maltok. So I downloaded the sample from Malware Bazaar. It had only one tag XLSX I'm using my tool only dump to look at a sample So it is indeed an OOXML file and This is the OOIF file that is inside the OOXML file. It's a spreadsheet Excel and this here This is not micro. So there is no VBA macros and you don't see here any VBA project will been But we have ear and embeddings So this stream here is an only 1.0 native stream rather large Almost one megabyte Now I'm going to use the option storages to also view the storages So this is comparable to folders and these are streams and here you have a storage and the two streams I'm looking at the storages so that I can see the root and tree storage the top Storage Because I can add extra information for Storages like the class ID Every storage has a class ID This is the class ID of the root entry for this Maltok and I can also Add a description So this is a Microsoft equation 3.0 So this is most likely an exploit for the equation editor. So it will contain 32-bit shellcode So let's take a look selecting stream 1 and Let's take a look at the start and at the beginning beginning and end Okay, here we have your binary data and here what looks like base 64 Here I see zero one zero eight. So this is very likely Line record and a font record and here is the overflow of the font record buffer and then Here we have shellcode Let's take Look like this Okay, and yeah as to be expected it is obfuscated or encoded shellcode because you don't see any strings and then here sequence of zero d bytes Okay, and here You have the base 64 that starts. Okay. Now if it contains shellcode like this, it's rather simple to analyze You dump the stream to a file shellcode.virg and You run the shellcode emulator on it Give it as input the file You tell it that it has to find the entry point Because an exploit type this for the equation editor starts with data structure. So the entry point is not as location zero It's somewhere later on so the shellcode emulator has to find it and I also want a report and Now It is starting to do that. So we'll take some time because There's almost one million offsets to check Okay, and now this is speeding up That's because now it is trying to analyze The base 64 as shellcode and okay, so this is not valid shellcode It fails very rapidly so you can move on to the next one. Okay, almost done Okay, and here We have 10 entry points. I will start with the first one And we already have success here. You can see the execution the emulation of the shellcode So it will write a file and executable to a temporary file Which is downloaded with http from this ip address with this part written to disk And then here with winexec it is executed And after that you have an exit process. So Excel is killed here Now that's the analysis Hmm Let's take one more look at the base 64 So let's pipe this into my base 64 them tool and here we have the code Let me select this And it has a very high entropy 7.98 so either this is encrypted data or even random data Now I did some research into it and I'm pretty sure that this is just a decoy Just a random data that was added because If I look At the shellcode And I do away with the base 64 code then it still emulates So here you have the content of the stream and the encoded shellcode Here you have the repetition of the deep bytes and then here You have the start of the base 64. So The length of the shellcode is around 6e0 So let me cut that out 6e0 a length of 6d0 And I'm going to write this to another file a much smaller file now And then run the shellcode emulator on it Find the entry points It immediately finds the entry points and here we have exactly the same result So that base 64 code is not necessary for the shellcode to execute And I doubt also that it is necessary for the download executable Because this is starting as a separate process and then afterwards the excel is just killed