Miskip file extractor
This Python script can be used to extract the decoy document and the malware payload from malicious Word documents detected as TrojanDropper:W97M/Miskip.(A/B). This job is normally done by the macro after opening the Word document and enabling macros.
There are two versions of TrojanDropper:W97M/Miskip documents ITW with different versions of macros. This script is able two extract the files from both versions. Older versions of Miskip only contain a malware payload appended to the Word document. The decoy document is included in the dropped malware. Newer versions have the decoy document and the malware payload appended to the document.
A complete analysis of the threat can be found here: http://www.malware-reversing.com/2016/06/new-threat-actor-uses-vba-macros-in.html
The file name of the malicious Miskip document must be used as argument:
Example of a Miskip Word document with newer macro:
> miskip_file_extractor.py Miskip.doc Miskip file extractor ********************* Macro version: new Decoy document offset: 0x12804 Decoy document size: 28160 bytes Decoy document successfully decrypted as: decoy_doc.bin Payload offset: 0x19609 Payload size: 666846 bytes Payload successfully decrypted as: payload_exe.bin Decryption key: 0x4b
The extracted files will be created as "decoy_doc.bin" for the decoy Word document and/or "payload_exe.bin" for the malware payload executable.