Clik here to view.
ClamAV sigtool –decode-sigs
Here is a great tip from @PintAndClick: you can pipe the output of sigtool –find-sigs into sigtool –decode-sigs to get a nice breakdown of the signatures:
View ArticleClik here to view.
Quickpost: Analyzing .ISO Files Containing Malware
Searching through VirusTotal Intelligence, I found a couple of .iso files (CD & DVD images) containing a malicious EXE spammed via email like this one. Here is the attached .iso file (from May 25th...
View ArticleClik here to view.
.ISO Files With Zone.Identifier
An .iso file downloaded from the Internet (thus with a Zone.Identifier ADS) opened in Windows 10 will not propagate this “mark-of-the-web” to the contained files. Here is an example with file demo.iso,...
View ArticleClik here to view.
The Clip Command
You probably know that I like to pipe commands together when I analyze malware … Are you familiar with Windows’ clip command? It’s a very simple command that I use often: it reads input from stdin and...
View ArticleClik here to view.
.ISO Files & autorun.inf
I was asked if malware authors can abuse autorun.inf files in .ISO files: no, nothing will execute automatically when you open an .ISO file with autorun.inf file in Windows 8 or 10. I have videos to...
View ArticleClik here to view.
Quickpost: Using ClamAV On Windows
This is how I deploy and configure ClamAV on Windows: I download the portable Windows x64 version in a ZIP file (clamav-0.99.2-x64.zip). I extract the content of this ZIP file to folder c:\portable\,...
View ArticleClik here to view.
Analyzing A Malicious Document Cleaned By Anti-Virus
@futex90 shared a sample with me detected by many anti-virus programs on VirusTotal but, according to oledump.py, without VBA macros: I’ve seen this once before: this is a malicious document that has...
View ArticleClik here to view.
Quickpost: Retrieving Malware Via Tor On Windows
I sometimes retrieve malware over Tor, just as a simple trick to use another IP address than my own. I don’t do anything particular to be anonymous, just use Tor in its default configuration. On Linux,...
View ArticleClik here to view.
SpiderMonkey and STDIN
With most of my tools, I try to support input via STDIN. It’s also possible to provide JavaScript scripts for parsing to SpiderMonkey via STDIN. You can pass filename – to js for processing STDIN...
View ArticleClik here to view.
Extracting DotNetToJScript’s PE Files
I added a new option (-I, –ignorehex) to base64dump.py to make the extraction of the PE file inside a JScript script generated with DotNetToJScript a bit easier. DotNetToJScript is James Forshaw‘s...
View ArticleClik here to view.
Obtaining Malware Samples for Analysis
In my malware analysis blog posts and videos, I always try to include the hash or VirusTotal link of the sample(s) I analyze. If I don’t, it means I’m not at liberty to share the hash. For every video...
View ArticleClik here to view.
Analyzing a Phishing PDF with /ObjStm
I got hold of a phishing PDF where the /URI is hiding inside a stream object (/ObjStm). First I start the analysis with pdfid.py: There is no /URI reported, but remark that the PDF contains 5 stream...
View ArticleClik here to view.
Maldoc: Excel 4.0 Macro
MD5 007de2c71861a3e1e6d70f7fe8f4ce9b is a malicious document: a spreadsheet with Excel 4.0 macros. Excel 4.0 macros predate VBA macros: they are composed of functions placed inside cells of a macro...
View ArticleClik here to view.
Extracting “Stack Strings” from Shellcode
A couple of years ago, I wrote a Python script to enhance Radare2 listings: the script extract strings from stack frame instructions. Recently, I combined my tools to achieve the same without a 32-bit...
View ArticleClik here to view.
Update: virustotal-search.py Version 0.1.5
virustotal-search.py is a tool to query VirusTotal via its public API for file reports by providing hashes to search for. This new version adds searching for URLs. Use option -t to select the type of...
View ArticleClik here to view.
New Tool: amsiscan.py
amsiscan.py is a Python script that uses Windows 10’s AmsiScanBuffer function to scan input for malware. It reads one or more files or stdin. The AmsiScanBuffer function returns 5 possible values when...
View ArticleClik here to view.
Update Of My PDF Tools
This is an update of my PDF tools. There are a couple of bug fixes for pdf-parser and pdfid. And 2 new features in pdf-parser, inspired by a private training on maldoc analysis I gave last week. I...
View ArticleClik here to view.
Quickpost: ExifTool, OLE Files and FlashPix Files
ExifTool can misidentify VBA macro files as FlashPix files. The binary file format of Office documents (.doc, .xls) uses the Compound File Binary Format, what I like to refer as OLE files. These files...
View ArticleClik here to view.
Steganography and Malware
I was reading about malware using WAV files and steganography to download payloads without triggering detection systems. For example, here is a WAV file with a hidden, embedded PE file. The PE file is...
View ArticleClik here to view.
Analyzing .DWG Files With Embedded VBA Macros
AutoCAD’s drawing files (.dwg) can contain VBA macros. The .dwg format is a proprietary file format. There is some documentation, for example here. When VBA macros are stored inside a .dwg file, an OLE...
View Article