Showing posts tagged #maldoc

Return Home

Goal

In this entry we will have a look at the Bendis maldoc. Bendis is a fairly unknown and simple maldoc that has a dropper functionality. It's only purpose is being a gateway for more mature malware.

Word document

We are confronted yet again with a Word document which includes macros.

File hashes:

MD5: 3e77ad5e07c65aeeb7a3b2e268eb102b
SHA1: 73f35866e29959a2397303fb3ec0c0b7e74226f3
SHA256: fdda128f909cbfb549a6a342cfb71e09dfbc695d799dbfd80d95b42e82fc1e9c
ssdeep1536:OXxUzn9/biXPK2NSy7DL3WBWZn+9cHYRJ5SEbbXr7eLTFxXw:USYSy49rRLbbO7

If we try to open the VBA debugger we will see heavily obfuscated code, even strings are obfuscated. A quick look reveals that there is a module called XoGrrJy that has many calls to CallByName so

Read More