Here is a YARA rule I developed to detect PDF/ActiveMime maldocs I wrote about in “Quickpost: Analysis of PDF/ActiveMime Polyglot Maldocs“. It looks for files that start with %PDF- (this header can be obfuscated) and contain string QWN0aXZlTWlt (string ActiveMim in BASE64), possibly obfuscated with whitespace characters. rule rule_pdf_activemime { meta: author = "Didier Stevens" date = "2023/08/29" version = "0.0.1" samples = "5b677d297fb862c2d223973697479ee53a91d03073b14556f421b3d74f136b9d,098796e1b82c199ad226bff056b6310262b132f6d06930d3c254c57bdf548187,e ..read more

jpcert reported a new type of maldoc: “MalDoc in PDF – Detection bypass by embedding a malicious Word file into a PDF file –“. These maldocs are PDF files that embed a Word document (ActiveMime) in MIME format. ActiveMime documents can be analyzed by combining my emldump.py tool and oledump.py. ActiveMime documents were heavily obfuscated in the past, and this is also the case here. As emldump.py version 0.0.11 was only able to handle the obfuscation of 2 of the 3 samples mentioned by jpcert, I released a new version to handle more obfuscation. Here is an analysis example for sample 5b677d297f ..read more

This is a new tool (based on my Python template for binary files) to analyze OneNote files. This version is limited to handling embedded files (for the moment). As I might still make significant changes to the user interface, I’ve put this tool in my GitHub beta repository ..read more

In this blog post, I show how you can combine my tools zipdump.py, file-magic.py and myjson-filter.py to select and analyze files of a particular type. I start with a daily batch of malware files published by Malware Bazaar. I let it produce JSON output using option –jsonoutput, that can be consumed by some of my tools, like file-magic.py, my tool to identify files based on the content using the libmagic library. In the output above, we can see that most files are PE files (Windows executables). For this example, I’m interested in Office files (ole files). I can filter the output of file-mag ..read more

I use my tools dns-pydivert and dnsresolver.py for dynamic analysis of software (malware and benign software). On the virtual machine where I’m doing dynamic analysis, I disable IPv6 support. I install dnslib and run dnsresolver.py with a command like this, for example: dnsresolver.py "type=resolve,label=example.com,answer=. 1 IN A 127.0.0.1" "type=forwarder,server=8.8.8.8" The first command is a resolve command: DNS A queries for example.com will be resolved to IPv4 address 127.0.0.1 with TTL 1 minute. The second command is a forwarder command: all DNS requests not handled by other command ..read more

A colleague asked me for help with extracting code signing certificates from malicious files, to add them to Defender’s block list. The procedure involves right-clicking the EXE in Windows Explorer, selecting properties to view the digital signature, and so on … But I don’t like procedures where one has to click on malware. So I looked for a PowerShell command, and found this. Get-AuthenticodeSignature .\malware.exe.vir | Select-Object -ExpandProperty SignerCertificate | Export-Certificate -Type CERT -FilePath SignerCertificate.cer ..read more

When I record maldoc analysis videos, I have already analyzed the maldoc prior to recording, and I rehearse the recording. This time, I also recorded the unrehearsed analysis: when I take the first look at a maldoc I’ve not seen before. All in this video ..read more

I recently created 2 blog posts with corresponding videos for the reversing of encodings. The first one is on the ISC diary: “Decoding Obfuscated BASE64 Statistically“. The payload is encoded with a variation of BASE64, and I show how to analyze the encoded payload to figure out how to decode it. And this is the video for this diary entry: And on this blog, I have another example, more complex, where the encoding is a variation of hexadecimal encoding, with some obfuscation: “Another Exercise In Encoding Reversing“. And here is the video ..read more

I also recorded a video for this blog post. In this blog post, I will show how to decode a payload encoded in a variation of hexadecimal encoding, by performing statistical analysis and guessing some of the “plaintext”. I do have the decoder too now (a .NET assembly), but here I’m going to show how you can try to decode a payload like this without having the decoder. The payload looks like this: Seeing all these letters, I thought: this is lowercase Netbios Name encoding. That is an encoding where each byte is represented by 2 hexadecimal characters, but the characters are all letters, in ste ..read more

I did this about 6 months ago, but this blog post didn’t get posted back then. I’m posting it now. I made a small Proof-of-Concept: cs-mitm.py is a mitmproxy script that intercepts Cobalt Strike traffic, decrypts it and injects its own commands. In this video, a malicious beacon is terminated by sending it a sleep command followed by an exit command. I just included the sleep command to show that it’s possible to do this for more than one command. I selected this malicious beacon for this PoC because it uses one of the leaked private keys, enabling the script to decrypt the metadata and obtain ..read more