Analyzing a Malicious Spreadsheet Dropping a DLL

Introduction This week, we received a suspicious spreadsheet which was used as a malware dropper in a phishing campaign. The spreadsheet writes a DLL file to disk and subsequently executes it. In this blog post, we perform the full analysis of the suspicious spreadsheet. Analyzing the document The analysis of this Excel file starts with … Continue reading Analyzing a Malicious Spreadsheet Dropping a DLL

Extracting Certificates From the Windows Registry

I helped a colleague with a forensic analysis by extracting certificates from the Windows registry. In this blog post, we explain how to do this. The Windows registry contains binary blobs, containing certificates. Like this one: Examples of locations where certificates can be found: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates HKEY_CURRENT_USER\SOFTWARE\Microsoft\SystemCertificates Certificates, encoded in DER format, always start with value … Continue reading Extracting Certificates From the Windows Registry

Malicious SYLK Files with MS Excel 4.0 Macros

Since about a week, we are seeing an increase of SYLK files submitted to VirusTotal. A SYLK file (SYmbolic LinK) is a pure text file format used to store Excel spreadsheets with extension .slk. Although SYLK files can't contain VBA macros, they can still contain executable code, for example DDE commands or MS Excel 4.0 … Continue reading Malicious SYLK Files with MS Excel 4.0 Macros

Solving a CTF challenge: Exploiting a Buffer Overflow (video)

Capture The Flag (CTF) competitions are an entertaining way to practice and/or improve your skills. NVISO staff regularly participates in CTF competitions, in particular when the competition focuses on IT security. We produced a video with step-by-step analysis of a CTF executable containing a buffer overflow. This executable is running on a server, and by … Continue reading Solving a CTF challenge: Exploiting a Buffer Overflow (video)

Detecting and Analyzing Microsoft Office Online Video

A while ago, a new technique was developed to execute arbitrary code via a Word document: an online video is embedded and the HTML code for the embedded video is modified with JavaScript that launches a Windows executable. This technique does not rely on VBA macros and requires the use of the .docx format (for … Continue reading Detecting and Analyzing Microsoft Office Online Video

Differential Malware Analysis: An Example

There are many ways to analyze malware. In this blog post, we illustrate a typical analysis method: comparing an unknown sample with a known sample, to determine if the unknown sample is malicious or not. During one of our engagements, we came across a PDF document that triggered our anti-virus. What intrigued us, was that … Continue reading Differential Malware Analysis: An Example

OpenSSH User Enumeration Vulnerability: a Close Look

Intro An OpenSSH user enumeration vulnerability (CVE-2018-15473) became public via a GitHub commit. This vulnerability does not produce a list of valid usernames, but it does allow guessing of usernames. In this blog post, we take a closer look at this vulnerability and propose mitigation and monitoring actions. Technical details This vulnerability manifests itself in … Continue reading OpenSSH User Enumeration Vulnerability: a Close Look