I published the following diary on isc.sans.edu: “A First Malicious OneNote Document“: Attackers are always trying to find new ways to deliver malware to victims. They recently started sending Microsoft OneNote files in massive phishing campaigns. OneNote files (ending the extension “.one”) are handled automatically by computers that have the
I published the following diary on isc.sans.edu: “A Good Old Equation Editor Vulnerability Delivering Malware“: Here is another sample demonstrating how attackers still rely on good old vulnerabilities… In 2017, Microsoft Office suffered from a critical vulnerability that affected its Equation Editor tool, known as CVE-2017-11882. It’s a memory corruption
I published the following diary on isc.sans.edu: “Malicious Word Document with Dynamic Content“: Here is another malicious Word document that I spotted while hunting. “Another one?” may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze
I published the following diary on isc.sans.edu: “Microsoft Apps Diverted from Their Main Use“: This week, the CERT.eu organized its yearly conference in Brussels. Across many interesting presentations, one of them covered what they called the “cat’n’mouse” game that Blue and Red teams are playing continuously. When the Blue team has
I published the following diary on isc.sans.edu: “Dissecting Malicious Office Documents with Linux”: A few months ago, Rob wrote a nice diary to explain how to dissect a (malicious) Office document (.docx). The approach was to use the OpenXML SDK with Powershell. This is nice but how to achieve the
I published the following diary on isc.sans.org: “Antivirus Evasion? Easy as 1,2,3“: For a while, ISC handlers have demonstrated several obfuscation techniques via our diaries. We always told you that attackers are trying to find new techniques to hide their content to not be flagged as malicious by antivirus products.
I published the following diary on isc.sans.org: “Example of ‘MouseOver’ Link in a Powerpoint File“: I really like Microsoft Office documents…Â They offer so many features that can be (ab)used to make them virtual bombs. Yesterday, I found a simple one but nicely prepared Powerpoint presentation: Payment_copy.ppsx (SHA256:7d6f3eb45c03a8c2fca4685e9f2d4e05c5fc564c3c81926a5305b6fa6808ac3f). It was still
I published the following diary on isc.sans.org: “Microsoft Office VBA Macro Obfuscation via Metadata“: Often, malicious macros make use of the same functions to infect the victim’s computer. If a macro contains these strings, it can be flagged as malicious or, at least, considered as suspicious. Some examples of suspicious functions
I published the following diary on isc.sans.org: “If you want something done right, do it yourself!“. Another day, another malicious document! I like to discover how the bad guys are creative to write new pieces of malicious code. Yesterday, I found another interesting sample. It’s always the same story, a
