Clik here to view.
Stoned Bitcoin: My Analysis Tools
The most interesting thing about Stoned Bitcoin for me, was to work out a method to find these Bitcoin transactions. When this was mentioned on Twitter, I did a string search through the Bitcoin...
View ArticleClik here to view.
Update: oledump.py Version 0.0.7
This new version adds support for the new office file format (.docx, .xlsx, …) stored inside a ZIP file (so a ZIP inside a ZIP) and an option to print YARA strings. And the HTTP heuristics plugin has...
View ArticleClik here to view.
Update: YARA Rule JPEG_EXIF_Contains_eval
Now that YARA version 3.3.0 supports word boundaries in regular expressions, I’ve updated my YARA Rule for Detecting JPEG Exif With eval(). yara-rules-V0.0.5.zip (https) MD5:...
View ArticleClik here to view.
Update: oledump.py Version 0.0.8
This new version brings support for multiple YARA rule files. The plugin_http_heuristics plugin was updated, and there is a new plugin: plugin_dridex. oledump_V0_0_8.zip (https) MD5:...
View ArticleClik here to view.
Update: oledump.py Version 0.0.9
The plugin_dridex plugin was updated. And oledump.py has a new option: –quiet: only print output from plugins. oledump_V0_0_9.zip (https) MD5: 849C26F32397D2508381A8472FE40F90 SHA256:...
View ArticleClik here to view.
Update oledump.py Version 0.0.10
This version handles corrupt VBA macro streams without crashing. Corrupt VBA macro streams are marked with an E indicator (error). And an update to the plugin_http_heuristics and plugin_dridex plugins....
View ArticleClik here to view.
A New Type Of Malicious Document: XML
Since last week we see XML documents being spammed: they are actually Microsoft Word documents with VBA Macros. I wrote an ISC Diary entry (I’m a SANS ISC Handler now) detailing the internals of these...
View ArticleClik here to view.
VBA Maldoc: We Don’t Want No Stinkin Sandbox/Virtual PC
Today I got an interesting maldoc sample (77f3949c2130b268bb18061bcb483d16): it will not activate if it runs in a sandboxed or virtualized environment. The following statements are executed right...
View ArticleClik here to view.
Update oledump.py Version 0.0.12
This update adds support for metadata and fixes an XML parsing bug. oledump_V0_0_12.zip (https) MD5: 0AB5F77A9C0F1FF3E8BE4F675440A875 SHA256:...
View ArticleClik here to view.
oledump And XML With Embedded OLE Object
I updated oledump to handle a new type of malicious document: an XML file, not with VBA macros, but with an embedded OLE object that is a VBS file. And the man page is finished. Run oledump.py -m to...
View ArticleClik here to view.
Quickpost: Maldocs: VBA And Pastebin
Since a day or two I’m seeing yet another trick used by malware authors in their VBA macros. The sample I’m looking at is 26B857A0A57B89166584CBB7167CAA19. The VBA macro downloads base64 encoded...
View ArticleClik here to view.
Update: pdf-parser Version 0.6.4
In this new version of pdf-parser, option -H will now also calculate the MD5 hashes of the unfiltered and filtered stream of selected objects, and also dump the first 16 bytes. I needed this to analyze...
View ArticleClik here to view.
PDF + DOC + VBAs Videos
I produced videos showing how I created my “Test File: PDF With Embedded DOC Dropping EICAR” and how to change the settings in Adobe Reader to mitigate this.
View ArticleClik here to view.
Analysis Of An Office Maldoc With Encrypted Payload (Quick And Dirty)
The malicious office document we’re analyzing is a downloader: 0e73d64fbdf6c87935c0cff9e65fa3be oledump reveals VBA macros in the document, but the plugins are not able to extract a URL: Let’s use a...
View ArticleClik here to view.
Analysis Of An Office Maldoc With Encrypted Payload (Slow And Clean)
In my previous post we used VBA and Excel to decode the URL and the PE file. In this post we will use Python. I translated the VBA decoding function IpkfHKQ2Sd to Python: Now we can decode the URL...
View ArticleClik here to view.
Analysis Of An Office Maldoc With Encrypted Payload: oledump plugin
After a quick and dirty analysis and a “slow and clean” analysis of a malicious document, we can integrate the Python decoder function into a plugin: the plugin_dridex.py First we add function...
View ArticleClik here to view.
Maldoc GET Range
I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. I analyzed a malicious document (365a04140b3abe71c6cb4248d5bbbb57a172f37fe878eec49dc90745f5c37ae3) that...
View ArticleClik here to view.
BlackEnergy .XLS Dropper
I’m providing a 2-day training at Brucon Spring Training 2016: “Analysing Malicious Documents“. I analyzed the spreadsheet (97b7577d13cf5e3bf39cbe6d3f0a7732) used in the recent BlackEnergy attacks...
View ArticleClik here to view.
BlackEnergy .XLS Dropper Puzzle
Over at the ISC diary I posted an entry with a puzzle to help you to practice the extraction of an embedded file in a spreadsheet. This is the image I embedded:
View ArticleClik here to view.
Update: emldump.py Version 0.0.6
A small update to emldump.py to handle (intentionally) malformed MIME files. More details in my SANS ISC Diary entry “Obfuscated MIME Files”. emldump_V0_0_6.zip (https) MD5:...
View Article