[Video] Analyzing a Payload Out of Context

Malware authors have become creative with how they have chosen to package their payload to evade detection. Office documents have been used as a common vector of entry in the following way: a Word document uses a macro to launch PowerShell and download a malicious payload.

While detonating the original Word document is typically sufficient to analyze the malicious payload, sometimes the Command and Control servers are down, and the payload cannot be downloaded. Other times, the payload is found by a threat researcher outside of this original context.

Malware authors are aware of this reality and protect their payload from being analyzed by obfuscating the executable and instituting context checks to ensure execution only after the condition is met.

The following video details how threat researchers can use VMRay Analyzer to reverse engineer a payload that is identified without the surrounding context.

This video is the first in our Reversing with VMRay series. Subscribe to our YouTube Channel for future videos.