- Mar 21, 2015
- 88
I received some suspicious word documents a while back, uploaded them to malwr.com and received this:
"YARA: shellcode - Matched shellcode byte patterns"
(I would love to share the malwr.com analysis, but its not a document I can share publicly and I can't figure out how to remove or hide all the identifying information and still get the detection- let me know if there is a workaround!)
I uploaded many other word documents created in the same way and did not get this again. It happens with a docx file with images, if that makes a difference.
I tried OfficeMalScanner after saving as .doc (which still has the above shellcode on malwr.com) and it detects something like 'API hashing at offset...' and then crashes. It crashes on other documents as well, so I am not sure I am using it correctly. But, it does not detect anything before crashing on other documents.
If I delete the image files, the detection is gone, but the image files themselves (docx changed to zip and images taken from there) don't seem to generate this. I am going to double-check this part though. So, its something with word document and images embedded?
I probably won't trust this and related documents, but now I want to understand what could cause this and what/where the shellcode is and what it is doing. A PDF sent along with it had "Possibly employs anti-virtualization techniques" detection, but maybe I should save that for a separate post, just mentioning it here in case it matters. Both documents were in same e-mail and opened at the same time.
Are there legitimate reasons for this detection in a word document? Anything I can do to figure out what is going on? I figured some expert here would have more insight into this
"YARA: shellcode - Matched shellcode byte patterns"
(I would love to share the malwr.com analysis, but its not a document I can share publicly and I can't figure out how to remove or hide all the identifying information and still get the detection- let me know if there is a workaround!)
I uploaded many other word documents created in the same way and did not get this again. It happens with a docx file with images, if that makes a difference.
I tried OfficeMalScanner after saving as .doc (which still has the above shellcode on malwr.com) and it detects something like 'API hashing at offset...' and then crashes. It crashes on other documents as well, so I am not sure I am using it correctly. But, it does not detect anything before crashing on other documents.
If I delete the image files, the detection is gone, but the image files themselves (docx changed to zip and images taken from there) don't seem to generate this. I am going to double-check this part though. So, its something with word document and images embedded?
I probably won't trust this and related documents, but now I want to understand what could cause this and what/where the shellcode is and what it is doing. A PDF sent along with it had "Possibly employs anti-virtualization techniques" detection, but maybe I should save that for a separate post, just mentioning it here in case it matters. Both documents were in same e-mail and opened at the same time.
Are there legitimate reasons for this detection in a word document? Anything I can do to figure out what is going on? I figured some expert here would have more insight into this
