From aldeid
Jump to: navigation, search
You are here:


DisView is a disassembler. When using OfficeMalScanner with "scan debug", you may notice an interesting portion of code but it's truncated. DisView will display much more code to help you in the analysis.


Usage: DisView <file> <offset to start>


The below command is only providing part of the disassembled code starting at offset 0x90c53:

C:\tools\OfficeMalScanner>OfficeMalScanner.exe \malware\TestYourMind.ppt scan brute debug



CALL next/POP signature found at offset: 0x90c53

E800000000                         call $+00000005h
5A                                 pop edx
55                                 push ebp
8BEC                               mov ebp, esp
81EC64040000                       sub esp, 00000464h
8BF4                               mov esi, esp
E861030000                         call $+00000366h
8BF8                               mov edi, eax
E8C4020000                         call $+000002C9h
8906                               mov [esi], eax
895E04                             mov [esi+04h], ebx
FF36                               push [esi]
68AD9B7DDF                         push DF7D9BADh
E8E6020000                         call $+000002EBh
89460C                             mov [esi+0Ch], eax
FF36                               push [esi]


Brute-forcing for encrypted PE- and embedded OLE-files now...
Bruting XOR Key: 0xff
Bruting ADD Key: 0xff
Bruting ROL Key: 0x08

Analysis finished!

TestYourMind.ppt seems to be malicious! Malicious Index = 108

We can use DisView to display more disassembled code, starting at the mentioned offset:

C:\tools\OfficeMalScanner>DisView.exe \malware\TestYourMind.ppt 0x90c53
Filesize is 631296 (0x9a200) Bytes

00090C53: E800000000               call $+00000005h
00090C58: 5A                       pop edx
00090C59: 55                       push ebp
00090C5A: 8BEC                     mov ebp, esp
00090C5C: 81EC64040000             sub esp, 00000464h
00090C62: 8BF4                     mov esi, esp
00090C64: E861030000               call $+00000366h
00090C69: 8BF8                     mov edi, eax
00090C6B: E8C4020000               call $+000002C9h
00090C70: 8906                     mov [esi], eax
00090C72: 895E04                   mov [esi+04h], ebx
00090C75: FF36                     push [esi]
00090C77: 68AD9B7DDF               push DF7D9BADh
00090C7C: E8E6020000               call $+000002EBh
00090C81: 89460C                   mov [esi+0Ch], eax
00090C84: FF36                     push [esi]
00090C86: 68A517007C               push 7C0017A5h
00090C8B: E8D7020000               call $+000002DCh
00090C90: 89462C                   mov [esi+2Ch], eax
00090C93: FF36                     push [esi]
00090C95: 68FB97FD0F               push 0FFD97FBh
00090C9A: E8C8020000               call $+000002CDh
00090C9F: 894618                   mov [esi+18h], eax
00090CA2: FF36                     push [esi]
00090CA4: 68E6178F7B               push 7B8F17E6h
00090CA9: E8B9020000               call $+000002BEh
00090CAE: 894630                   mov [esi+30h], eax
00090CB1: FF36                     push [esi]
00090CB3: 682912C656               push 56C61229h
00090CB8: E8AA020000               call $+000002AFh
00090CBD: 894610                   mov [esi+10h], eax
00090CC0: FF36                     push [esi]
00090CC2: 68593C077B               push 7B073C59h
00090CC7: E89B020000               call $+000002A0h
00090CCC: 894614                   mov [esi+14h], eax
00090CCF: FF36                     push [esi]
00090CD1: 683B4743DD               push DD43473Bh
00090CD6: E88C020000               call $+00000291h
00090CDB: 894628                   mov [esi+28h], eax
00090CDE: FF36                     push [esi]
00090CE0: 683B4673CB               push CB73463Bh
00090CE5: E87D020000               call $+00000282h
00090CEA: 894624                   mov [esi+24h], eax
00090CED: FF36                     push [esi]
00090CEF: 6803F2A640               push 40A6F203h
00090CF4: E86E020000               call $+00000273h
00090CF9: 894620                   mov [esi+20h], eax
00090CFC: FF36                     push [esi]


blog comments powered by Disqus