![]() If so, it returns a value of 1, indicating that the file is a PE file. ![]() It first checks if the first two bytes are equal to the ASCII values of "M" and "Z" (77 and 90, respectively). The macro uses a function that checks the file type of the downloaded payload by examining the first two bytes of the file. If so, it will then check if that file is either a PE File or a Zip file, suggesting that the threat actors may adopt alternative file formats to Zip files containing binary padded PE files. The macro will then check if the response is 200 (indicating a success retrieval of the file). ![]() Once a user enables macros for the malicious document, it will download a ZIP file will from one of seven hardcoded and obfuscated URLs (which will be iterated through until the file is successfully retrieved): ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |