I published the following diary on isc.sans.edu: “How Attackers Brush Up Their Malicious Scripts“: On Friday, I received a bunch of alerts from one of my YARA hunting rules. Several samples were submitted from the same account (through the VT API), from the same country (US), and in a very
I published the following diary on isc.sans.edu: “A Mix of Python & VBA in a Malicious Word Document“: A few days ago, Didier wrote an interesting diary about embedded objects into an Office document. I had a discussion about an interesting OLE file that I found. Because it used the same
I published the following diary on isc.sans.edu: “Malicious Excel Sheet with a NULL VT Score“: Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT. Yes, according to
I published the following diary on isc.sans.edu: “A Safe Excel Sheet Not So Safe“: I discovered a nice sample yesterday. This excel sheet was found in a mail flagged as “suspicious†by a security appliance. The recipient asked to release the mail from the quarantine because “it was sent from
I published the following diary on isc.sans.org: “Antivirus Evasion? Easy as 1,2,3“: For a while, ISC handlers have demonstrated several obfuscation techniques via our diaries. We always told you that attackers are trying to find new techniques to hide their content to not be flagged as malicious by antivirus products.
I published the following diary on isc.sans.org: “Microsoft Office VBA Macro Obfuscation via Metadata“: Often, malicious macros make use of the same functions to infect the victim’s computer. If a macro contains these strings, it can be flagged as malicious or, at least, considered as suspicious. Some examples of suspicious functions
I published the following diary on isc.sans.org: “Base64 All The Things!“. Here is an interesting maldoc sample captured with my spam trap. The attached file is “PO# 36-14673.DOC†and has a score of 6 on VT. The file contains Open XML data that refers to an invoice.. [Read more]
I published the following diary on isc.sans.org: “Another Day, Another Malicious Behaviour“. Every day, we are spammed with thousands of malicious emails and attackers always try to find new ways to bypass the security controls. Yesterday, I detected a suspicious HTTP GET request: … [Read more]
Just a quick post about a problem that security analysts are facing daily… For a while, malicious Office documents are delivered with OLE objects containing VBA macros. Bad guys are always using obfuscation techniques to make the analysis more difficult and (try to) bypass basic filters. This makes the analysis
[This blogpost has also been published as a guest diary on isc.sans.org] Like everybody, I’m receiving a lot of spam everyday but… I like it! All unsocilited received messages are stored in a dedicated folder for two purposes: An automatic processing via my tool mime2vt A manual review at regular interval
