Category Archives: VBScript

A deeper look at Office documents flat style

Posted on July 27, 2021 by pcsxcetrasupport3

Over the last few years I have seen some samples that use the xml style of Word Documents with base64 encoded ActiveMime data. What started this was a recent Twitter post by HunterMaor @bit_dam Here where he was not able … Continue reading

Posted in Malware, security, VBScript | Tagged , , | 1 Comment

More on Yara And Building Rules

Posted on May 10, 2021 by pcsxcetrasupport3

I’ve been learning how to build and modify yara rules lately but my biggest pain was getting the formattting correct. In a recent Twitter thread Here James @James_inthe_box  posted where asyncrat was using pastebin  to host their encoded rat. My … Continue reading

Posted in Malware, Programming, VBScript | Tagged , , , | 2 Comments

Extracting Shellcode from VBA to PowerShell

Posted on March 26, 2020 by pcsxcetrasupport3

This post will revolve around using my tools to extract the vba code then clean a base64 string that is exploded into multiple lines and then decode to a PowerShell script then extract the shellcode from the script and get … Continue reading

Posted in Malware, PowerShell, VBScript | Tagged , , , | 1 Comment

A deeper look into a wild VBA Macro

Posted on January 26, 2019 by pcsxcetrasupport3

This Sample comes from Brad Duncan @malware_traffic from his SANS ICS Diary located Here and the Files on His blog Here. For this session I will be using “2019-01-23-example-of-attached-Word-doc-1-of-7” word document. I ended up looking at this from different directions … Continue reading

Posted in Malware, Programming, VBScript | Tagged , | Comments Off on A deeper look into a wild VBA Macro

A look at a Word document macro using Invoke-DOSfuscation

Posted on July 28, 2018 by pcsxcetrasupport3

The sample from this one comes from  Packet Wire @packet_Wire. Twitter thread here  After getting the location of the Word document and downloading it. The file name was “Auditor-of-State-Notification-of-EFT-Deposit” with hash values of. Sha1: 4C7C8B1897CA22E4E477C361DAF676D471A4F4AFSha256: EBDA287F6B33A0C7A689E1D8FDE7ABC708C9DFBCA2759A56CD055868B2CC0911MD5: 35756ECC87405E42F62DEEEEF18FD43A Let’s dive into … Continue reading

Posted in Malware, PowerShell, VBScript | Tagged , , | Comments Off on A look at a Word document macro using Invoke-DOSfuscation

Peeling away the layers of a word document macro

Posted on November 18, 2017 by pcsxcetrasupport3

The sample used in this one was first brought to my attention from the blog post by @HerbieZimmerman  and the blog post is here. https://www.herbiez.com/?p=1028 and the link to the doc file is here https://www.hybrid-analysis.com/sample/0de3f4380b642e59d0cde5570ed13bfc727000b94a034ce10e1f87bfac3fac79?environmentId=100 This one peaked my interest … Continue reading

Posted in Malware, PowerShell, security, VBScript | Tagged , , | Comments Off on Peeling away the layers of a word document macro

Converting VB Script To VB.Net

Posted on November 12, 2011 by pcsxcetrasupport3

My Last Post Titled “Event 10 Mystery Solved” (found here.), Left me with a Question about the binary version of the SID, A returned value of  CreatorSID: 1,5,0,0,0,0,0,5,21,0,0,0,190,118,173,34,87,198,105,19,239,226,7,24,244,1,0,0 I started searching the net to see if anyone has posted a … Continue reading

Posted in CodeProject, Programming Tools, System Tools, VB.net, VBScript | Tagged , , , | Comments Off on Converting VB Script To VB.Net