Posted on

TriJklcj2HIUCheDES decryption failed?, (Fri, Nov 2nd)

I received a malicious Word document with detections on VirusTotal, but it does not exhibit malicious behavior in a sandbox.

That’s because it’s buggy:

The malware author must have executed a search and replace for string “pl” by string “Jklcj2HIUCh” to obfuscate the function and variable names a bit, without noticing “unwanted” replacements leading to the corruption of the TripleDES COM object name.

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Leave a Reply

Your email address will not be published. Required fields are marked *