CVE-2017-0262 Sample
The obfuscation
The PostScript code starts with a xor loop using key 0xC45D6491 using only built-in PostScript functionality
Using our Cryptam multi tool, we'll decode the EPS block manually:
$ php cryptam_multi.php eps.test -xor c45d6491
using XOR key c45d6491
$ ./quicksand.out eps.test.out
-0> root {7}
md5:237e6dcbc6af50ef5f5211818522c463
sha1:228c21dff49376c0946fe2bbe21448bbdbfcf13a
sha256:385655e10c8a7718bb50e969979cf4f08a2380f67827ce01d05874c49b3a5c13
head:7b202f48656c7665
size:347320
yara:exploits:exploit_cve_2017_0262
yara:executable:executable_win
structhash:nO
qsversion:01.06.004
qstime:2017:05:11 14:08:48
score:20
is_malware:2
Deobfuscated PostScript
We've added a new PostScript XOR obfuscation warning_EPS_xor_exec Yara signature to our QuickSand_Lite project our GitHub.
Indicators
CVE-2017-0262 Sample [Report]
Filename Confirmation_letter.docx.bin
Size 251036 bytes
MD5 2abe3cc4bff46455a945d56c27e9fb45
SHA1 0bd354d1eea9e4864f4c17e6c22bfdb81d88ddee
SHA256 6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490
CVE-2017-0261 Sample [Report] (obfuscated)
Filename Trump's_Attack_on_Syria_English.docx
Size 268950 bytes
MD5 f8e92d8b5488ea76c40601c8f1a08790
SHA1 d5235d136cfcadbef431eea7253d80bde414db9d
SHA256 91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9