Press "Enter" to skip to content

Author: Ryan Blevins

My name is Ryan Blevins and I reside in The Pacific Northwest. I like hiking, camping, photography, and generally being in the great outdoors (weather sort-of permitting). My education has begun by earning a BS in Cyber Security from Dakota State University. Professionally my interests are in threat intelligence, specifically, all things malware related.

Ghidra Plug-in to Decode XOR-Obfuscated Strings

As a reverse engineer/malware analyst, it is important to be able to write scripts to help automate your workflow. One example is to be able to write plug-ins for tools such as Ghidra that can aid in deobfuscating strings for a particular sample. In this example we will be recovering strings that have been obfuscated using the bitwise XOR operation. This example uses fairly simple techniques that will serve as an introduction to writing Python Plugins, and string deobfuscation routines. Code: sample and DLL: on Youtube: Below is a sample of the obfuscated string pattern. The function…

Comments closed

Analyzing Document with Malicious Excel 4.0 Macros

Let’s look at an example of Excel 4.0 macros, which is an old technique that has made a recent comeback. Excel 4.0 macros were introduced in Excel version 4.0 in 1992. What makes theses macros so powerful, is you can run commands directly from these sheets in an Excel document. There is a long list of what you can do ( and How Do Excel 4.0 Macros Work? A simple example below pops the calculator, and prints some text. To do this, right click on the “sheet” tab at the bottom of the screen, click “insert”, and select “Excel…

Comments closed

Analysis of Password Protected Malicious Word Document

Let’s take a look at an example of a malicious Word document that has a password-protected VBA project. When looking at malware, it is a good idea to first verify the file type you are looking at. Many malware authors will purposely use deceptive file extensions to try to look as benign as possible. So, running the “file” command on the file, it is confirmed to be a Word document, as the extension suggests. Our next step is checking the streams for macros using The following three streams have macros in them, indicated by an uppercase “M”. Searching for…

Comments closed