I was asked how one can decode a bunch of BASE64 encoded IOCs with my tools.

I’m going to illustrate my method using the phishing SVG samples I found on VirusTotal (see “Increase In Phishing SVG Attachments“).

In these phishing SVG files, the victim’s email address is encoded in BASE64:

With grep, I can select all these lines with BASE64 encoded email addresses:

Then I can pipe this into base64dump.py, my tool to handle BASE64 (and other encodings):

You can see the email address in the “Decoded” column (they are redacted to protect the victims).

To get just this info (decoded email addresses), you can use option -s a to select all decoded items, and option -d to dump the decoded values to stdout, like this:

The problem now is that all email addresses are concatenated together. To add a newline (or carriage return – newline in Windows) after each email address, use option -s A (uppercase a):

Didier Stevens
Senior handler
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.