Switch branches/tags
Nothing to show
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Miskip file extractor

This Python script can be used to extract the decoy document and the malware payload from malicious Word documents detected as TrojanDropper:W97M/Miskip.(A/B). This job is normally done by the macro after opening the Word document and enabling macros.

There are two versions of TrojanDropper:W97M/Miskip documents ITW with different versions of macros. This script is able two extract the files from both versions. Older versions of Miskip only contain a malware payload appended to the Word document. The decoy document is included in the dropped malware. Newer versions have the decoy document and the malware payload appended to the document.

A complete analysis of the threat can be found here: http://www.malware-reversing.com/2016/06/new-threat-actor-uses-vba-macros-in.html


The file name of the malicious Miskip document must be used as argument:

miskip_file_extractor.py <filename>

Example of a Miskip Word document with newer macro:

> miskip_file_extractor.py Miskip.doc

Miskip file extractor

Macro version: new
Decoy document offset: 0x12804
Decoy document size: 28160 bytes
Decoy document successfully decrypted as: decoy_doc.bin
Payload offset: 0x19609
Payload size: 666846 bytes
Payload successfully decrypted as: payload_exe.bin
Decryption key: 0x4b

The extracted files will be created as "decoy_doc.bin" for the decoy Word document and/or "payload_exe.bin" for the malware payload executable.