In this entry we will have a look at the Bendis maldoc. Bendis is a fairly unknown and simple maldoc that has a dropper functionality. It's only purpose is being a gateway for more mature malware.
We are confronted yet again with a Word document which includes macros.
MD5: 3e77ad5e07c65aeeb7a3b2e268eb102b SHA1: 73f35866e29959a2397303fb3ec0c0b7e74226f3 SHA256: fdda128f909cbfb549a6a342cfb71e09dfbc695d799dbfd80d95b42e82fc1e9c ssdeep1536:OXxUzn9/biXPK2NSy7DL3WBWZn+9cHYRJ5SEbbXr7eLTFxXw:USYSy49rRLbbO7
If we try to open the VBA debugger we will see heavily obfuscated code, even strings are obfuscated. A quick look reveals that there is a module called
XoGrrJy that has many calls to