Malicious SYLK Files with MS Excel 4.0 Macros

Since about a week, we are seeing an increase of SYLK files submitted to VirusTotal. A SYLK file (SYmbolic LinK) is a pure text file format used to store Excel spreadsheets with extension .slk. Although SYLK files can't contain VBA macros, they can still contain executable code, for example DDE commands or MS Excel 4.0 … Continue reading Malicious SYLK Files with MS Excel 4.0 Macros

Detecting and Analyzing Microsoft Office Online Video

A while ago, a new technique was developed to execute arbitrary code via a Word document: an online video is embedded and the HTML code for the embedded video is modified with JavaScript that launches a Windows executable. This technique does not rely on VBA macros and requires the use of the .docx format (for … Continue reading Detecting and Analyzing Microsoft Office Online Video

Differential Malware Analysis: An Example

There are many ways to analyze malware. In this blog post, we illustrate a typical analysis method: comparing an unknown sample with a known sample, to determine if the unknown sample is malicious or not. During one of our engagements, we came across a PDF document that triggered our anti-virus. What intrigued us, was that … Continue reading Differential Malware Analysis: An Example

Shortcomings of blacklisting in Adobe Reader and what you can do about it

A variation of a class of malicious PDFs appeared in the wild. In this blog post, we will show you how to protect your systems and how to analyze these PDFs. The PDFs embed a file type with extension .SettingContent-ms that can be used on Windows 10 to execute arbitrary code. We have observed on … Continue reading Shortcomings of blacklisting in Adobe Reader and what you can do about it

Extracting a Windows Zero-Day from an Adobe Reader Zero-Day PDF

In May 2018, when ESET published a blog post covering PDFs with 2 zero days, our interest was immediately piqued. Promptly after our analysis of these PDFs, we send out an early warning to our customers. Now that Microsoft published a blog post with the detailed analysis of the zero days, we find it appropriate … Continue reading Extracting a Windows Zero-Day from an Adobe Reader Zero-Day PDF

Painless Cuckoo Sandbox Installation

TLDR: As part of our SANS SEC599 development efforts, we updated (fixed + added some new features) an existing Cuckoo Auto Install script by Buguroo Security to automate Cuckoo sandbox installation (& VM import). Download it from our Github here. Intro As a blue team member, you often have a need to analyze a piece … Continue reading Painless Cuckoo Sandbox Installation

YARA DDE rules: DDE Command Execution observed in-the-wild

The MS Office DDE YARA rules that we published yesterday detected several malicious documents samples since 10/10/2017. Remark: the malicious samples we mention were detected with our DDEAUTO rule (Office_DDEAUTO_field); as we feared, the second rule (Office_DDE_field) is generating some false positives and we will update it. The firstĀ sampleĀ uses PowerShell to download an executableĀ and run … Continue reading YARA DDE rules: DDE Command Execution observed in-the-wild