I published the following diary on isc.sans.org: “Malicious AutoIT script delivered in a self-extracting RAR file“. Here is another sample that hit my curiosity. As usual, the infection vector was an email which delivered some HTML code in an attached file called “PO_5634_780.docx.html†(SHA1:d2158494e1b9e0bd85e56e431cbbbba465064f5a). It has a very low VT
I published the following diary on isc.sans.org: “Malicious script dropping an executable signed by Avast?“. Yesterday, I found an interesting sample that I started to analyze… It reached my spam trap attached to an email in Portuguese with the subject: “Venho por meio desta solicitar orçamento dos produtos†(“I hereby
I published the following diary on isc.sans.org: “Maldoc with auto-updated link“. Yesterday, while hunting, I found another malicious document that (ab)used a Microsoft Word feature: auto-update of links. This feature is enabled by default for any newly created document (that was the case for my Word 2016 version). If you
I published the following diary on isc.sans.org: “Obfuscating without XOR“. Malicious files are generated and spread over the wild Internet daily (read: “hourly”). The goal of the attackers is to use files that are: not know by signature-based solutions not easy to read for the human eye That’s why many
I published the following diary on isc.sans.org: “Analysis of a Maldoc with Multiple Layers of Obfuscation“. Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called “Invoice_6083.doc” (which was delivered in a zip archive). I had a quick
I published the following diary on isc.sans.org: “Hunting for Malicious Excel Sheets“. Recently, I found a malicious Excel sheet which contained a VBA macro. One particularity of this file was that useful information was stored in cells. The VBA macro read and used them to download the malicious PE file.
I published the following diary on isc.sans.org: “Example of Multiple Stages Dropper“. If some malware samples remain simple (see my previous diary), others try to install malicious files in a smooth way to the victim computers. Here is a nice example that my spam trap captured a few days ago. The
I published the following diary on isc.sans.org: “Not All Malware Samples Are Complex“. Everyday we hear about new pieces of malware which implement new techniques to hide themselves and defeat analysts. But they are still people who write simple code that just “do the job”. The sample that I’m reviewing today had a very
I published the following diary on isc.sans.org: “Many Malware Samples Found on Pastebin“. pastebin.com is a wonderful website. I’m scrapping all posted pasties (not only from pastebin.com) and pass them to a bunch of regular expressions. As I said in a previous diary, it is a good way to perform
With the number of attacks that we are facing today, defenders are looking for more and more IOC’s (“Indicator of Compromise) to feed their security solutions (firewalls, IDS, …). It becomes impossible to manage all those IOC’s manually and automation is the key. There are two main problems with this
