Yesterday I had to analyze a malicious document, carrying embedded PowerShell scripts with Gzip compression. I use translate.py to do the Gzib decompression as I explained in this blog post.
But it’s still not that practical, copying that onliner from my blog post, so I’m releasing a new version of translate.py where I defined function GzipD as that onliner (and I also defined ZlibD).
Here is how I use build-in function GzipD to decompress the malicious payload:
translate_v2_5_2.zip (https)
MD5: 1499C7D9C03928F2CE90BAA813A982DA
SHA256: 34451966781CA9821CD66AEF54379A3B47576CD4FCE8CBEFD9EFA3DA06E49CE9
Article Link: https://blog.didierstevens.com/2018/01/30/update-translate-py-version-2-5-2/