Last Updated: 2017-10-29 17:34:15 UTC
by Didier Stevens (Version: 1)
A reader submitted a malicious attachment:
We can see that this is an ACE file. I remember ACE files, it's an archive format that back in the days (2000) yielded higher compression ratios than RAR.
I found a Python library/tool to decompress ACE files: acefile.py. Looking in the source code, I notice it could read from stdin, and that I should be able to pipe the output of oledump into acefile. Unfortunately, this generated an error, and I had to extract the file to disk:
This .bat file is actually an executable:
Sample 3e58ec4fe08d93dd6ec20c7553519d47 was compiled with Visual Basic 6.0.