Once we find the start of the VBE script, we press "OK" to load add the embedded object. If you don't know where the encoded script begins, you can just advance the cursor in the hex view and keep on pressing "Ctrl+E" until Cerbero automatically detects the encoded script. In order to find the encoded script, we go to the "sdghfgjfgkgkghk.o" stream. VBE files are encoded VBS scripts and Cerbero Suite automatically decodes these scripts into readable VBS code.
This part of code dumps a VBE script to disk and executes it. If we glance over the code, we reach an interesting part. The first thing we notice when opening the malicious document with Cerbero Suite is that it contains VBA code. We would like to thank InQuest for this interesting malware sample: it's a great sample to show the power of Cerbero Suite!
0 kommentar(er)
