Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
..
Failed to load latest commit information.
README.md
miskip_file_extractor.py

README.md

Miskip file extractor

This Python script can be used to extract the decoy document and the malware payload from malicious Word documents detected as TrojanDropper:W97M/Miskip.(A/B). This job is normally done by the macro after opening the Word document and enabling macros.

There are two versions of TrojanDropper:W97M/Miskip documents ITW with different versions of macros. This script is able two extract the files from both versions. Older versions of Miskip only contain a malware payload appended to the Word document. The decoy document is included in the dropped malware. Newer versions have the decoy document and the malware payload appended to the document.

A complete analysis of the threat can be found here: http://www.malware-reversing.com/2016/06/new-threat-actor-uses-vba-macros-in.html

Usage

The file name of the malicious Miskip document must be used as argument:

miskip_file_extractor.py <filename>

Example of a Miskip Word document with newer macro:

> miskip_file_extractor.py Miskip.doc

Miskip file extractor
*********************

Macro version: new
Decoy document offset: 0x12804
Decoy document size: 28160 bytes
Decoy document successfully decrypted as: decoy_doc.bin
Payload offset: 0x19609
Payload size: 666846 bytes
Payload successfully decrypted as: payload_exe.bin
Decryption key: 0x4b

The extracted files will be created as "decoy_doc.bin" for the decoy Word document and/or "payload_exe.bin" for the malware payload executable.