In this video, we’ll explore a recent XLS document that drops and executes a DLL using RUNDLL32. The DLL is small and only used to download the next stage. However, it employs rather straight-forward string obfuscation using the bitwise XOR operation. An important skill for any reverse engineer/malware analyst is to be able to create plugins to assist in statically decoding these strings and doing so across the entire disassembly database. This video is intended to get you started creating IDA Plugins with Python, recognize the importance of deobfuscating strings and work on translating assembly to a higher-level language (i.e. Python).
You can find the IDA Python plugin at: https://github.com/jstrosch/XOR-Decode-Strings-IDA-Plugin
You can find the sample and other artifacts at: https://github.com/jstrosch/malware-samples/tree/master/maldocs/unknown/2020/December
The sample is also available on AnyRun: https://app.any.run/tasks/8823560f-d44a-45bc-9706-aac3ac7dd30c/