Skip to content
IDAPython Deobfuscation Scripts for Nymaim Samples
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


MyNaim, an anagram of the malware family name 'Nymaim', is a collection of IDAPython deobfuscation scripts useful for anyone doing analysis of a Nymaim sample. This is especially so since their obfuscation techniques have more or less been the same throughout the years, so sharing my scripts might save the time of other analysts :)

Feature List

  1. Deobfuscates functions used to do a simple register push



image 2. Deobfuscates proxy function calls



image 3. Provides a function to emulate the hashing and xor-ing of strings in Nymaim

7996ad60-4839-11e6-9b94-111a776c0579 4. Provides a function to turn obfuscated offsets to their respective API addresses/namees

screen shot 2016-07-26 at 5 51 32 pm


  1. Configure the path to PyEmu in
  2. Position the cursor anywhere within the text segment of the sample
  3. Load in IDAPro
  4. In the IDAPython interpreter, execute init(), then deobfuscate() for as many times as you like :)


Pro tip: You can actually re-run deobfuscate() after renaming your functions in order to update their names in the comments



  • Deobfuscate library calls
You can’t perform that action at this time.