[SOLVED] How to analyse a docx document for possible payload

yvesjv · 07-01-2023, 01:21 PM

Hi all,

Received this word document which both the wife an I opened, she uses Win10 and I use Slackware.
On mine, the document cannot be opened as it spits out "general input/output error"
On her Win10, when opening the document it logged her out of the desktop and sh had to login again...

How do I effectively analyse it so as to rule out it came loaded with trojan, malware, virus, etc?

Thanks in advance.

////// · 07-01-2023, 02:25 PM

if it doesnt contain personal info you could send it to : https://www.virustotal.com/gui/home/upload

edit: there is malware-sandboxes also, there you can upload malware samples and see what it does on simulated environment : https://www.joesandbox.com/

yvesjv · 07-01-2023, 03:37 PM

Thanks for the sandbox link, did not know that existed.

Edit: Bummer, after uploading to that sandbox the 'analyse with joe' button stays grey and cannot start the process.

boughtonp · 07-02-2023, 08:16 AM

Could be a non-malicious but corrupt file that caused Windows to crash. Have you tried retrieving the file again from wherever the source is, and comparing checksums (or at least dates and filesize).

Anyhow, docx is a Zip archive containing XML files, so one could open it up and examine those with a text editor to see if there's anything odd going on.

See this Wikipedia article for basics of the format.

Of course, whilst unlikely, it is possible for malware to exploit vulnerabilities in unzip - so make sure you're sufficiently patched, and in a suitably isolated environment.

yvesjv · 07-02-2023, 01:44 PM

Yes, that worked.
Opened it with Ark and viewed the files within.
The 'document.xml' is the problematic file that refuses to open.
Using the cat tool worked to view the contents.

I'm wagering on a corrupted word document.

scasey · 07-02-2023, 02:09 PM

Scan the file with anti-virus on either machine?

////// · 07-03-2023, 09:28 AM

there is command hexdump that can be used to view file content : in my case i hexdumped conkyrc ->

Code:

[root@arch Music]# hexdump -C /home/vile/conf/conkyrc
00000000  63 6f 6e 6b 79 2e 63 6f  6e 66 69 67 20 3d 20 7b  |conky.config = {|
00000010  0a 20 20 20 20 6f 77 6e  5f 77 69 6e 64 6f 77 20  |.    own_window |
00000020  3d 20 74 72 75 65 2c 0a  20 20 20 20 6f 77 6e 5f  |= true,.    own_|
00000030  77 69 6e 64 6f 77 5f 74  79 70 65 20 3d 20 27 6e  |window_type = 'n|
00000040  6f 72 6d 61 6c 27 2c 0a  20 20 20 20 6f 77 6e 5f  |ormal',.    own_|
00000050  77 69 6e 64 6f 77 5f 74  72 61 6e 73 70 61 72 65  |window_transpare|
00000060  6e 74 20 3d 20 74 72 75  65 2c 0a 20 20 20 20 6f  |nt = true,.    o|
00000070  77 6e 5f 77 69 6e 64 6f  77 5f 61 72 67 62 5f 76  |wn_window_argb_v|
00000080  69 73 75 61 6c 20 3d 20  74 72 75 65 2c 0a 20 20  |isual = true,.  |
00000090  20 20 6f 77 6e 5f 77 69  6e 64 6f 77 5f 68 69 6e  |  own_window_hin|
000000a0  74 73 20 3d 20 27 75 6e  64 65 63 6f 72 61 74 65  |ts = 'undecorate|
000000b0  64 2c 73 6b 69 70 5f 74  61 73 6b 62 61 72 2c 73  |d,skip_taskbar,s|
000000c0  6b 69 70 5f 70 61 67 65  72 2c 62 65 6c 6f 77 27  |kip_pager,below'|
000000d0  2c 0a 20 20 20 20 64 6f  75 62 6c 65 5f 62 75 66  |,.    double_buf|
000000e0  66 65 72 20 3d 20 74 72  75 65 2c 20 0a 20 20 20  |fer = true, .   |
000000f0  20 75 73 65 5f 73 70 61  63 65 72 20 3d 20 27 72  | use_spacer = 'r|
00000100  69 67 68 74 27 2c 0a 20  20 20 20 0a 09 75 73 65  |ight',.    ..use|
00000110  5f 78 66 74 20 3d 20 74  72 75 65 2c 0a 20 20 20  |_xft = true,.   |
00000120  20 6f 76 65 72 72 69 64  65 5f 75 74 66 33 32 5f  | override_utf32_|
00000130  6c 6f 63 61 6c 65 20 3d  20 74 72 75 65 2c 0a 20  |locale = true,. |
00000140  20 20 20 0a 20 20 20 20  61 6c 69 67 6e 6d 65 6e  |   .    alignmen|
00000150  74 20 3d 20 27 74 6f 70  5f 72 69 67 68 74 27 2c  |t = 'top_right',|
00000160  20 0a 20 20 20 20 67 61  70 5f 78 20 3d 20 35 2c  | .    gap_x = 5,|
00000170  20 0a 20 20 20 20 67 61  70 5f 79 20 3d 20 35 2c  | .    gap_y = 5,|
00000180  20 0a 20 20 20 20 75 70  64 61 74 65 5f 69 6e 74  | .    update_int|
00000190  65 72 76 61 6c 20 3d 20  32 2c 20 0a 20 20 20 20  |erval = 2, .    |
000001a0  6d 69 6e 69 6d 75 6d 5f  77 69 64 74 68 20 3d 20  |minimum_width = |
000001b0  33 30 30 2c 20 0a 20 20  20 20 6d 61 78 69 6d 75  |300, .    maximu|
000001c0  6d 5f 77 69 64 74 68 20  3d 20 33 38 35 2c 20 0a  |m_width = 385, .|
000001d0  20 20 20 20 73 74 69 70  70 6c 65 64 5f 62 6f 72  |    stippled_bor|
000001e0  64 65 72 73 20 3d 20 33  2c 20 0a 20 20 20 20 62  |ders = 3, .    b|
000001f0  6f 72 64 65 72 5f 77 69  64 74 68 20 3d 20 31 2c  |order_width = 1,|
00000200  20 0a 20 20 20 20 64 65  66 61 75 6c 74 5f 63 6f  | .    default_co|
00000210  6c 6f 72 20 3d 20 27 31  37 39 30 64 30 27 2c 20  |lor = '1790d0', |
00000220  0a 20 20 20 20 64 72 61  77 5f 6f 75 74 6c 69 6e  |.    draw_outlin|
00000230  65 20 3d 20 6e 6f 2c 20  0a 20 20 20 20 64 72 61  |e = no, .    dra|
00000240  77 5f 62 6f 72 64 65 72  73 20 3d 20 79 65 73 2c  |w_borders = yes,|
00000250  20 0a 20 20 20 20 66 6f  6e 74 20 3d 20 27 54 65  | .    font = 'Te|
00000260  72 6d 69 6e 75 73 3a 73  69 7a 65 3d 31 30 27 2c  |rminus:size=10',|
00000270  20 0a 20 20 20 20 75 70  70 65 72 63 61 73 65 20  | .    uppercase |
00000280  3d 20 6e 6f 2c 20 0a 20  20 20 20 64 72 61 77 5f  |= no, .    draw_|
00000290  73 68 61 64 65 73 20 3d  20 79 65 73 2c 0a 20 20  |shades = yes,.  |
000002a0  20 20 0a 20 20 20 20 78  69 6e 65 72 61 6d 61 5f  |  .    xinerama_|
000002b0  68 65 61 64 20 3d 20 31  0a 20 20 20 20 0a 7d 20  |head = 1.    .} |
000002c0  0a 0a 63 6f 6e 6b 79 2e  74 65 78 74 20 3d 20 5b  |..conky.text = [|
000002d0  5b 20 0a 24 7b 68 72 20  32 7d 0a 24 7b 65 78 65  |[ .${hr 2}.${exe|
000002e0  63 70 69 20 33 36 30 20  63 68 65 63 6b 75 70 64  |cpi 360 checkupd|
000002f0  61 74 65 73 20 7c 20 61  77 6b 20 27 45 4e 44 20  |ates | awk 'END |
00000300  7b 20 70 72 69 6e 74 20  28 4e 52 20 3d 3d 20 30  |{ print (NR == 0|
00000310  20 3f 20 22 53 79 73 74  65 6d 20 75 70 20 74 6f  | ? "System up to|
00000320  20 64 61 74 65 22 20 3a  20 4e 52 20 22 20 70 61  | date" : NR " pa|
00000330  63 6b 61 67 65 22 20 28  4e 52 20 3e 20 31 20 3f  |ckage" (NR > 1 ?|
00000340  20 22 73 22 20 3a 20 22  22 29 29 3b 20 7d 27 7d  | "s" : "")); }'}|
00000350  0a 41 6c 6c 20 50 61 63  6b 61 67 65 73 20 49 6e  |.All Packages In|
00000360  73 74 61 6c 6c 65 64 20  3a 20 24 7b 65 78 65 63  |stalled : ${exec|
00000370  70 69 20 33 36 30 20 70  61 63 6d 61 6e 20 2d 51  |pi 360 pacman -Q|
00000380  20 7c 20 77 63 20 2d 6c  7d 0a 24 7b 68 72 20 32  | | wc -l}.${hr 2|
00000390  7d 0a 24 7b 63 6f 6c 6f  72 20 46 46 39 39 33 33  |}.${color FF9933|
000003a0  7d 24 7b 65 78 65 63 69  20 31 30 20 77 68 6f 7d  |}${execi 10 who}|
000003b0  0a 24 7b 63 6f 6c 6f 72  20 31 37 39 30 64 30 7d  |.${color 1790d0}|
000003c0  24 7b 68 72 20 32 7d 0a  24 7b 66 6f 6e 74 20 54  |${hr 2}.${font T|
000003d0  65 72 6d 69 6e 75 73 3a  73 69 7a 65 3d 38 30 3a  |erminus:size=80:|
000003e0  73 74 79 6c 65 3d 62 6f  6c 64 7d 24 7b 63 6f 6c  |style=bold}${col|
000003f0  6f 72 20 31 37 39 30 64  30 7d 20 24 7b 74 69 6d  |or 1790d0} ${tim|
00000400  65 20 25 48 3a 25 4d 7d  24 7b 66 6f 6e 74 7d 0a  |e %H:%M}${font}.|
00000410  24 7b 66 6f 6e 74 7d 0a  24 7b 63 6f 6c 6f 72 20  |${font}.${color |
00000420  77 68 69 74 65 7d 53 59  53 54 45 4d 20 49 4e 46  |white}SYSTEM INF|
00000430  4f 52 4d 41 54 49 4f 4e  20 24 7b 68 72 20 32 7d  |ORMATION ${hr 2}|
00000440  20 0a 24 7b 63 6f 6c 6f  72 20 67 72 65 79 7d 44  | .${color grey}D|
00000450  61 74 65 20 24 7b 63 6f  6c 6f 72 20 31 37 39 30  |ate ${color 1790|
00000460  64 30 7d 24 7b 74 69 6d  65 20 25 41 7d 2c 24 7b  |d0}${time %A},${|
00000470  74 69 6d 65 20 25 65 7d  20 24 7b 74 69 6d 65 20  |time %e} ${time |
00000480  25 42 7d 20 24 7b 74 69  6d 65 20 25 47 7d 24 7b  |%B} ${time %G}${|
00000490  61 6c 69 67 6e 72 7d 0a  24 7b 63 6f 6c 6f 72 20  |alignr}.${color |
000004a0  67 72 65 79 7d 4d 61 63  68 69 6e 65 24 7b 63 6f  |grey}Machine${co|
000004b0  6c 6f 72 20 31 37 39 30  64 30 7d 20 24 6e 6f 64  |lor 1790d0} $nod|
000004c0  65 6e 61 6d 65 20 24 61  6c 69 67 6e 72 20 24 7b  |ename $alignr ${|
000004d0  63 6f 6c 6f 72 20 67 72  65 79 7d 55 70 74 69 6d  |color grey}Uptim|
000004e0  65 24 7b 63 6f 6c 6f 72  20 31 37 39 30 64 30 7d  |e${color 1790d0}|
000004f0  20 24 75 70 74 69 6d 65  20 0a 24 7b 63 6f 6c 6f  | $uptime .${colo|
00000500  72 20 67 72 65 79 7d 4b  65 72 6e 65 6c 20 24 7b  |r grey}Kernel ${|
00000510  63 6f 6c 6f 72 20 31 37  39 30 64 30 7d 24 6b 65  |color 1790d0}$ke|
00000520  72 6e 65 6c 20 24 61 6c  69 67 6e 72 20 24 7b 63  |rnel $alignr ${c|
00000530  6f 6c 6f 72 20 67 72 65  79 7d 41 72 63 68 20 24  |olor grey}Arch $|
00000540  7b 63 6f 6c 6f 72 20 31  37 39 30 64 30 7d 24 6d  |{color 1790d0}$m|
00000550  61 63 68 69 6e 65 20 0a  24 7b 68 72 20 32 7d 20  |achine .${hr 2} |
00000560  0a 24 7b 63 6f 6c 6f 72  20 67 72 65 79 7d 47 50  |.${color grey}GP|
00000570  55 20 24 7b 63 6f 6c 6f  72 20 31 37 39 30 64 30  |U ${color 1790d0|
00000580  7d 41 53 55 53 20 4e 76  69 64 69 61 20 52 54 58  |}ASUS Nvidia RTX|
00000590  20 33 30 36 30 20 54 69  20 24 7b 63 6f 6c 6f 72  | 3060 Ti ${color|
000005a0  20 67 72 65 79 7d 24 7b  61 6c 69 67 6e 72 7d 24  | grey}${alignr}$|
000005b0  7b 65 78 65 63 69 20 36  20 6e 76 69 64 69 61 2d  |{execi 6 nvidia-|
000005c0  73 6d 69 20 7c 20 67 72  65 70 20 2d 69 20 27 64  |smi | grep -i 'd|
000005d0  72 69 76 65 72 27 20 7c  20 61 77 6b 20 27 7b 70  |river' | awk '{p|
000005e0  72 69 6e 74 20 24 34 2c  20 24 36 7d 27 7d 0a 24  |rint $4, $6}'}.$|
000005f0  7b 63 6f 6c 6f 72 20 67  72 65 79 7d 54 45 4d 50  |{color grey}TEMP|
00000600  3a 20 24 7b 63 6f 6c 6f  72 20 67 72 65 65 6e 7d  |: ${color green}|
00000610  24 7b 6e 76 69 64 69 61  20 74 65 6d 70 7d c2 b0  |${nvidia temp}..|
00000620  43 20 24 7b 63 6f 6c 6f  72 20 67 72 65 79 7d 20  |C ${color grey} |
00000630  20 47 50 55 20 43 6c 6f  63 6b 73 20 24 7b 63 6f  | GPU Clocks ${co|
00000640  6c 6f 72 20 31 37 39 30  64 30 7d 24 7b 6e 76 69  |lor 1790d0}${nvi|
00000650  64 69 61 20 67 70 75 66  72 65 71 7d 24 7b 63 6f  |dia gpufreq}${co|
00000660  6c 6f 72 20 67 72 65 79  7d 2f 24 7b 63 6f 6c 6f  |lor grey}/${colo|
00000670  72 20 31 37 39 30 64 30  7d 24 7b 6e 76 69 64 69  |r 1790d0}${nvidi|
00000680  61 20 6d 65 6d 66 72 65  71 7d 24 7b 63 6f 6c 6f  |a memfreq}${colo|
00000690  72 20 67 72 65 79 7d 20  4d 68 7a 0a 24 7b 68 72  |r grey} Mhz.${hr|
000006a0  20 32 7d 0a 24 7b 63 6f  6c 6f 72 20 67 72 65 79  | 2}.${color grey|
000006b0  7d 43 50 55 20 24 7b 63  6f 6c 6f 72 20 31 37 39  |}CPU ${color 179|
000006c0  30 64 30 7d 24 7b 65 78  65 63 69 20 39 39 39 39  |0d0}${execi 9999|
000006d0  39 20 63 61 74 20 2f 70  72 6f 63 2f 63 70 75 69  |9 cat /proc/cpui|
000006e0  6e 66 6f 20 7c 20 67 72  65 70 20 22 6d 6f 64 65  |nfo | grep "mode|
000006f0  6c 20 6e 61 6d 65 22 20  2d 6d 31 20 7c 20 63 75  |l name" -m1 | cu|
00000700  74 20 2d 64 22 3a 22 20  2d 66 32 20 7c 20 63 75  |t -d":" -f2 | cu|
00000710  74 20 2d 64 22 20 22 20  2d 66 32 2d 20 7c 20 73  |t -d" " -f2- | s|
00000720  65 64 20 27 73 23 50 72  6f 63 65 73 73 6f 72 20  |ed 's#Processor |
00000730  23 23 27 7d 20 0a 24 7b  63 6f 6c 6f 72 20 67 72  |##'} .${color gr|
00000740  65 79 7d 46 72 65 71 20  24 7b 63 6f 6c 6f 72 20  |ey}Freq ${color |
00000750  31 37 39 30 64 30 7d 24  7b 66 72 65 71 5f 67 20  |1790d0}${freq_g |
00000760  32 7d 47 48 7a 20 24 61  6c 69 67 6e 72 20 24 7b  |2}GHz $alignr ${|
00000770  63 6f 6c 6f 72 20 67 72  65 79 7d 4c 6f 61 64 20  |color grey}Load |
00000780  24 7b 63 6f 6c 6f 72 20  31 37 39 30 64 30 7d 24  |${color 1790d0}$|
00000790  7b 6c 6f 61 64 61 76 67  7d 20 0a 24 7b 63 6f 6c  |{loadavg} .${col|
000007a0  6f 72 20 67 72 65 79 7d  50 72 6f 63 65 73 73 65  |or grey}Processe|
000007b0  73 20 24 7b 63 6f 6c 6f  72 20 31 37 39 30 64 30  |s ${color 1790d0|
000007c0  7d 24 72 75 6e 6e 69 6e  67 5f 70 72 6f 63 65 73  |}$running_proces|
000007d0  73 65 73 2f 20 24 70 72  6f 63 65 73 73 65 73 20  |ses/ $processes |
000007e0  24 61 6c 69 67 6e 72 20  43 50 55 20 54 65 6d 70  |$alignr CPU Temp|
000007f0  3a 20 24 7b 63 6f 6c 6f  72 20 67 72 65 65 6e 7d  |: ${color green}|
00000800  24 7b 65 78 65 63 69 20  31 20 73 65 6e 73 6f 72  |${execi 1 sensor|
00000810  73 20 7c 20 67 72 65 70  20 43 50 55 3a 20 7c 20  |s | grep CPU: | |
00000820  63 75 74 20 2d 63 20 31  36 2d 31 37 7d c2 b0 43  |cut -c 16-17}..C|
00000830  0a 0a 24 7b 63 6f 6c 6f  72 20 67 72 65 79 7d 41  |..${color grey}A|
00000840  76 67 20 4c 6f 61 64 20  24 7b 63 70 75 62 61 72  |vg Load ${cpubar|
00000850  20 63 70 75 30 20 31 32  2c 32 36 30 7d 0a 0a 24  | cpu0 12,260}..$|
00000860  7b 63 6f 6c 6f 72 20 77  68 69 74 65 7d 54 4f 50  |{color white}TOP|
00000870  20 38 20 50 52 4f 43 45  53 53 45 53 20 24 7b 68  | 8 PROCESSES ${h|
00000880  72 20 32 7d 20 0a 24 7b  63 6f 6c 6f 72 20 67 72  |r 2} .${color gr|
00000890  65 79 7d 4e 41 4d 45 24  61 6c 69 67 6e 72 20 20  |ey}NAME$alignr  |
000008a0  20 20 20 20 20 20 20 20  20 20 20 20 20 50 49 44  |             PID|
000008b0  20 20 20 20 20 20 43 50  55 20 20 20 20 20 20 4d  |      CPU      M|
000008c0  45 4d 20 0a 24 7b 63 6f  6c 6f 72 20 67 72 65 79  |EM .${color grey|
000008d0  7d 31 2e 20 24 7b 74 6f  70 20 6e 61 6d 65 20 31  |}1. ${top name 1|
000008e0  7d 24 7b 63 6f 6c 6f 72  20 31 37 39 30 64 30 7d  |}${color 1790d0}|
000008f0  24 61 6c 69 67 6e 72 24  7b 74 6f 70 20 70 69 64  |$alignr${top pid|
00000900  20 31 7d 20 20 20 24 7b  74 6f 70 20 63 70 75 20  | 1}   ${top cpu |
00000910  31 7d 20 20 20 24 7b 74  6f 70 20 6d 65 6d 20 31  |1}   ${top mem 1|
00000920  7d 20 0a 24 7b 63 6f 6c  6f 72 20 67 72 65 79 7d  |} .${color grey}|
00000930  32 2e 20 24 7b 74 6f 70  20 6e 61 6d 65 20 32 7d  |2. ${top name 2}|
00000940  24 7b 63 6f 6c 6f 72 20  31 37 39 30 64 30 7d 24  |${color 1790d0}$|
00000950  61 6c 69 67 6e 72 24 7b  74 6f 70 20 70 69 64 20  |alignr${top pid |
00000960  32 7d 20 20 20 24 7b 74  6f 70 20 63 70 75 20 32  |2}   ${top cpu 2|
00000970  7d 20 20 20 24 7b 74 6f  70 20 6d 65 6d 20 32 7d  |}   ${top mem 2}|
00000980  20 0a 24 7b 63 6f 6c 6f  72 20 67 72 65 79 7d 33  | .${color grey}3|
00000990  2e 20 24 7b 74 6f 70 20  6e 61 6d 65 20 33 7d 24  |. ${top name 3}$|
000009a0  7b 63 6f 6c 6f 72 20 31  37 39 30 64 30 7d 24 61  |{color 1790d0}$a|
000009b0  6c 69 67 6e 72 24 7b 74  6f 70 20 70 69 64 20 33  |lignr${top pid 3|
000009c0  7d 20 20 20 24 7b 74 6f  70 20 63 70 75 20 33 7d  |}   ${top cpu 3}|
000009d0  20 20 20 24 7b 74 6f 70  20 6d 65 6d 20 33 7d 20  |   ${top mem 3} |
000009e0  0a 24 7b 63 6f 6c 6f 72  20 67 72 65 79 7d 34 2e  |.${color grey}4.|
000009f0  20 24 7b 74 6f 70 20 6e  61 6d 65 20 34 7d 24 7b  | ${top name 4}${|
00000a00  63 6f 6c 6f 72 20 31 37  39 30 64 30 7d 24 61 6c  |color 1790d0}$al|
00000a10  69 67 6e 72 24 7b 74 6f  70 20 70 69 64 20 34 7d  |ignr${top pid 4}|
00000a20  20 20 20 24 7b 74 6f 70  20 63 70 75 20 34 7d 20  |   ${top cpu 4} |
00000a30  20 20 24 7b 74 6f 70 20  6d 65 6d 20 34 7d 20 0a  |  ${top mem 4} .|
00000a40  24 7b 63 6f 6c 6f 72 20  67 72 65 79 7d 35 2e 20  |${color grey}5. |
00000a50  24 7b 74 6f 70 20 6e 61  6d 65 20 35 7d 24 7b 63  |${top name 5}${c|
00000a60  6f 6c 6f 72 20 31 37 39  30 64 30 7d 24 61 6c 69  |olor 1790d0}$ali|
00000a70  67 6e 72 24 7b 74 6f 70  20 70 69 64 20 35 7d 20  |gnr${top pid 5} |
00000a80  20 20 24 7b 74 6f 70 20  63 70 75 20 35 7d 20 20  |  ${top cpu 5}  |
00000a90  20 24 7b 74 6f 70 20 6d  65 6d 20 35 7d 20 0a 24  | ${top mem 5} .$|
00000aa0  7b 63 6f 6c 6f 72 20 67  72 65 79 7d 36 2e 20 24  |{color grey}6. $|
00000ab0  7b 74 6f 70 20 6e 61 6d  65 20 36 7d 24 7b 63 6f  |{top name 6}${co|
00000ac0  6c 6f 72 20 31 37 39 30  64 30 7d 24 61 6c 69 67  |lor 1790d0}$alig|
00000ad0  6e 72 24 7b 74 6f 70 20  70 69 64 20 36 7d 20 20  |nr${top pid 6}  |
00000ae0  20 24 7b 74 6f 70 20 63  70 75 20 36 7d 20 20 20  | ${top cpu 6}   |
00000af0  24 7b 74 6f 70 20 6d 65  6d 20 36 7d 20 0a 23 24  |${top mem 6} .#$|
00000b00  7b 63 6f 6c 6f 72 20 67  72 65 79 7d 37 2e 20 24  |{color grey}7. $|
00000b10  7b 74 6f 70 20 6e 61 6d  65 20 37 7d 24 7b 63 6f  |{top name 7}${co|
00000b20  6c 6f 72 20 31 37 39 30  64 30 7d 24 61 6c 69 67  |lor 1790d0}$alig|
00000b30  6e 72 24 7b 74 6f 70 20  70 69 64 20 37 7d 20 20  |nr${top pid 7}  |
00000b40  20 24 7b 74 6f 70 20 63  70 75 20 37 7d 20 20 20  | ${top cpu 7}   |
00000b50  24 7b 74 6f 70 20 6d 65  6d 20 37 7d 20 0a 23 24  |${top mem 7} .#$|
00000b60  7b 63 6f 6c 6f 72 20 67  72 65 79 7d 38 2e 20 24  |{color grey}8. $|
00000b70  7b 74 6f 70 20 6e 61 6d  65 20 38 7d 24 7b 63 6f  |{top name 8}${co|
00000b80  6c 6f 72 20 31 37 39 30  64 30 7d 24 61 6c 69 67  |lor 1790d0}$alig|
00000b90  6e 72 24 7b 74 6f 70 20  70 69 64 20 38 7d 20 20  |nr${top pid 8}  |
00000ba0  20 24 7b 74 6f 70 20 63  70 75 20 38 7d 20 20 20  | ${top cpu 8}   |
00000bb0  24 7b 74 6f 70 20 6d 65  6d 20 38 7d 20 0a 0a 24  |${top mem 8} ..$|
00000bc0  7b 63 6f 6c 6f 72 20 77  68 69 74 65 7d 4d 45 4d  |{color white}MEM|
00000bd0  4f 52 59 20 26 20 53 57  41 50 20 24 7b 68 72 20  |ORY & SWAP ${hr |
00000be0  32 7d 20 0a 24 7b 63 6f  6c 6f 72 20 67 72 65 79  |2} .${color grey|
00000bf0  7d 52 41 4d 20 55 73 65  64 3a 24 7b 63 6f 6c 6f  |}RAM Used:${colo|
00000c00  72 20 31 37 39 30 64 30  7d 20 24 6d 65 6d 24 61  |r 1790d0} $mem$a|
00000c10  6c 69 67 6e 72 24 7b 63  6f 6c 6f 72 20 67 72 65  |lignr${color gre|
00000c20  79 7d 52 41 4d 20 54 6f  74 61 6c 3a 24 7b 63 6f  |y}RAM Total:${co|
00000c30  6c 6f 72 20 31 37 39 30  64 30 7d 20 24 6d 65 6d  |lor 1790d0} $mem|
00000c40  6d 61 78 20 0a 24 7b 63  6f 6c 6f 72 20 67 72 65  |max .${color gre|
00000c50  79 7d 52 41 4d 24 7b 63  6f 6c 6f 72 20 31 37 39  |y}RAM${color 179|
00000c60  30 64 30 7d 20 24 6d 65  6d 70 65 72 63 25 24 7b  |0d0} $memperc%${|
00000c70  63 6f 6c 6f 72 20 67 72  65 79 7d 20 24 7b 6d 65  |color grey} ${me|
00000c80  6d 62 61 72 20 36 7d 20  0a 24 7b 63 6f 6c 6f 72  |mbar 6} .${color|
00000c90  20 67 72 65 79 7d 53 57  41 50 24 7b 63 6f 6c 6f  | grey}SWAP${colo|
00000ca0  72 20 31 37 39 30 64 30  7d 20 24 73 77 61 70 70  |r 1790d0} $swapp|
00000cb0  65 72 63 25 24 7b 63 6f  6c 6f 72 20 67 72 65 79  |erc%${color grey|
00000cc0  7d 20 24 7b 73 77 61 70  62 61 72 20 36 7d 20 0a  |} ${swapbar 6} .|
00000cd0  0a 24 7b 63 6f 6c 6f 72  20 77 68 69 74 65 7d 44  |.${color white}D|
00000ce0  52 49 56 45 53 20 2d 20  46 52 45 45 20 53 50 41  |RIVES - FREE SPA|
00000cf0  43 45 20 24 7b 68 72 20  32 7d 20 0a 24 7b 63 6f  |CE ${hr 2} .${co|
00000d00  6c 6f 72 20 67 72 65 79  7d 42 6f 6f 74 20 24 7b  |lor grey}Boot ${|
00000d10  63 6f 6c 6f 72 20 31 37  39 30 64 30 7d 24 7b 66  |color 1790d0}${f|
00000d20  73 5f 66 72 65 65 5f 70  65 72 63 20 2f 62 6f 6f  |s_free_perc /boo|
00000d30  74 7d 25 20 41 76 61 69  6c 61 62 6c 65 24 61 6c  |t}% Available$al|
00000d40  69 67 6e 72 24 7b 66 73  5f 66 72 65 65 20 2f 62  |ignr${fs_free /b|
00000d50  6f 6f 74 7d 20 6f 66 20  24 7b 66 73 5f 73 69 7a  |oot} of ${fs_siz|
00000d60  65 20 2f 62 6f 6f 74 7d  20 0a 24 7b 63 6f 6c 6f  |e /boot} .${colo|
00000d70  72 20 67 72 65 79 7d 24  7b 66 73 5f 62 61 72 20  |r grey}${fs_bar |
00000d80  36 20 2f 62 6f 6f 74 7d  0a 24 7b 63 6f 6c 6f 72  |6 /boot}.${color|
00000d90  20 67 72 65 79 7d 2f 20  24 7b 63 6f 6c 6f 72 20  | grey}/ ${color |
00000da0  31 37 39 30 64 30 7d 24  7b 66 73 5f 66 72 65 65  |1790d0}${fs_free|
00000db0  5f 70 65 72 63 20 2f 7d  25 20 41 76 61 69 6c 61  |_perc /}% Availa|
00000dc0  62 6c 65 24 61 6c 69 67  6e 72 24 7b 66 73 5f 66  |ble$alignr${fs_f|
00000dd0  72 65 65 20 2f 7d 20 6f  66 20 24 7b 66 73 5f 73  |ree /} of ${fs_s|
00000de0  69 7a 65 20 2f 7d 20 0a  24 7b 63 6f 6c 6f 72 20  |ize /} .${color |
00000df0  67 72 65 79 7d 24 7b 66  73 5f 62 61 72 20 36 20  |grey}${fs_bar 6 |
00000e00  2f 7d 0a 0a 24 7b 63 6f  6c 6f 72 20 77 68 69 74  |/}..${color whit|
00000e10  65 7d 4e 45 54 57 4f 52  4b 20 49 4e 46 4f 52 4d  |e}NETWORK INFORM|
00000e20  41 54 49 4f 4e 20 24 7b  68 72 20 32 7d 20 0a 24  |ATION ${hr 2} .$|
00000e30  7b 63 6f 6c 6f 72 20 67  72 65 79 7d 49 50 20 41  |{color grey}IP A|
00000e40  64 64 72 65 73 73 3a 20  24 7b 63 6f 6c 6f 72 20  |ddress: ${color |
00000e50  31 37 39 30 64 30 7d 24  7b 61 64 64 72 20 65 6e  |1790d0}${addr en|
00000e60  70 34 73 30 7d 0a 24 7b  63 6f 6c 6f 72 20 67 72  |p4s0}.${color gr|
00000e70  65 79 7d 45 78 74 65 72  6e 61 6c 20 49 50 3a 20  |ey}External IP: |
00000e80  24 7b 63 6f 6c 6f 72 20  31 37 39 30 64 30 7d 24  |${color 1790d0}$|
00000e90  7b 65 78 65 63 69 20 36  30 30 20 63 75 72 6c 20  |{execi 600 curl |
00000ea0  69 66 63 6f 6e 66 69 67  2e 63 6f 20 32 3e 2f 64  |ifconfig.co 2>/d|
00000eb0  65 76 2f 6e 75 6c 6c 20  7c 20 74 61 69 6c 20 7d  |ev/null | tail }|
00000ec0  0a 24 7b 63 6f 6c 6f 72  20 67 72 65 79 7d 47 61  |.${color grey}Ga|
00000ed0  74 65 77 61 79 20 41 64  64 72 65 73 73 3a 20 24  |teway Address: $|
00000ee0  7b 63 6f 6c 6f 72 20 31  37 39 30 64 30 7d 24 7b  |{color 1790d0}${|
00000ef0  67 77 5f 69 70 7d 20 0a  24 7b 63 6f 6c 6f 72 20  |gw_ip} .${color |
00000f00  67 72 65 79 7d 4e 65 74  77 6f 72 6b 20 49 6e 74  |grey}Network Int|
00000f10  65 72 66 61 63 65 3a 20  24 7b 63 6f 6c 6f 72 20  |erface: ${color |
00000f20  31 37 39 30 64 30 7d 24  7b 67 77 5f 69 66 61 63  |1790d0}${gw_ifac|
00000f30  65 7d 0a 0a 24 7b 63 6f  6c 6f 72 20 77 68 69 74  |e}..${color whit|
00000f40  65 7d 42 41 4e 44 57 49  44 54 48 20 26 20 54 4f  |e}BANDWIDTH & TO|
00000f50  54 41 4c 20 44 41 49 4c  59 20 54 52 41 46 46 49  |TAL DAILY TRAFFI|
00000f60  43 24 7b 68 72 20 32 7d  24 7b 63 6f 6c 6f 72 7d  |C${hr 2}${color}|
00000f70  0a 24 7b 63 6f 6c 6f 72  20 67 72 65 79 7d 55 70  |.${color grey}Up|
00000f80  3a 20 24 7b 63 6f 6c 6f  72 7d 24 7b 75 70 73 70  |: ${color}${upsp|
00000f90  65 65 64 20 65 6e 70 34  73 30 7d 24 61 6c 69 67  |eed enp4s0}$alig|
00000fa0  6e 72 24 7b 63 6f 6c 6f  72 20 67 72 65 79 7d 44  |nr${color grey}D|
00000fb0  6f 77 6e 3a 20 24 7b 63  6f 6c 6f 72 7d 24 7b 64  |own: ${color}${d|
00000fc0  6f 77 6e 73 70 65 65 64  20 65 6e 70 34 73 30 7d  |ownspeed enp4s0}|
00000fd0  0a 24 7b 63 6f 6c 6f 72  20 67 72 65 79 7d 55 70  |.${color grey}Up|
00000fe0  3a 20 24 7b 63 6f 6c 6f  72 7d 24 7b 65 78 65 63  |: ${color}${exec|
00000ff0  69 20 31 30 20 76 6e 73  74 61 74 20 7c 20 67 72  |i 10 vnstat | gr|
00001000  65 70 20 74 6f 64 61 79  20 7c 20 61 77 6b 20 27  |ep today | awk '|
00001010  7b 70 72 69 6e 74 20 24  35 2c 20 24 36 20 7d 27  |{print $5, $6 }'|
00001020  7d 24 61 6c 69 67 6e 72  20 24 7b 63 6f 6c 6f 72  |}$alignr ${color|
00001030  20 67 72 65 79 7d 44 6f  77 6e 3a 20 24 7b 63 6f  | grey}Down: ${co|
00001040  6c 6f 72 7d 24 7b 65 78  65 63 69 20 31 30 20 76  |lor}${execi 10 v|
00001050  6e 73 74 61 74 20 7c 20  67 72 65 70 20 74 6f 64  |nstat | grep tod|
00001060  61 79 20 7c 20 61 77 6b  20 27 7b 70 72 69 6e 74  |ay | awk '{print|
00001070  20 24 32 2c 20 24 33 20  7d 27 7d 0a 5d 5d 0a     | $2, $3 }'}.]].|
0000107f
[root@arch Music]#

it shows ascii and hex with -C option.

yvesjv · 07-04-2023, 01:28 PM

Quote:

Originally Posted by //////

there is command hexdump that can be used to view file content : in my case i hexdumped conkyrc ->

That was interesting to play with and a nice learning curve with that too.
Thanks

https://class.malware.re/2020/02/04/...nalysis-1.html
And I'd guess this is just the tip of the iceberg when it comes to malware analysis.