I published the following diary on isc.sans.org: “Base64 All The Things!“. Here is an interesting maldoc sample captured with my spam trap. The attached file is “PO# 36-14673.DOC†and has a score of 6 on VT. The file contains Open XML data that refers to an invoice.. [Read more]
I published the following diary on isc.sans.org: “A VBScript with Obfuscated Base64 Data“. A few months ago, I posted a diary to explain how to search for (malicious) PE files in Base64 data. Base64 is indeed a common way to distribute binary content in an ASCII form. There are plenty
I published the following diary on isc.sans.org: “Searching for Base64-encoded PE Files“. When hunting for suspicious activity, it’s always a good idea to search for Microsoft Executables. They are easy to identify: They start with the characters “MZ” at the beginning of the file. But, to bypass classic controls, those
