I published the following diary on isc.sans.edu: “Dynamic Data Exchange (DDE) is Back in the Wild?‘”: DDE or “Dynamic Data Exchange” is a Microsoft technology for interprocess communication used in early versions of Windows and OS/2. DDE allows programs to manipulate objects provided by other programs, and respond to user actions affecting those objects. FOr a while,
I published the following diary on isc.sans.edu: “New Example of XSL Script Processing aka ‘Mitre T1220‘”: Last week, Brad posted a diary about TA551. A few days later, one of our readers submitted another sample belonging to the same campaign. Brad had a look at the traffic so I decided
It’s very tempting and, honestly, I’m doing it from time to time… I search for pictures on the Internet and use them in my documents! Why it could be dangerous in some cases? Let’s put aside copyright issues (yes, some pictures might not be free of use) but focus on
I published the following diary on isc.sans.edu: “Malicious Word Document Delivering an Octopus Backdoor“: Here is an interesting malicious Word document that I spotted yesterday. This time, it does not contain a macro but two embedded objects that the victim must “activate” (click on one of them) to perform the malicious activities.
I published the following diary on isc.sans.edu: “Malicious Word Document with Dynamic Content“: Here is another malicious Word document that I spotted while hunting. “Another one?” may ask some of our readers. Indeed but malicious documents remain a very common infection vector and you learn a lot when you analyze
I published the following diary on isc.sans.edu: “A Mix of Python & VBA in a Malicious Word Document“: A few days ago, Didier wrote an interesting diary about embedded objects into an Office document. I had a discussion about an interesting OLE file that I found. Because it used the same
I published the following diary on isc.sans.edu: “More Equation Editor Exploit Waves“: This morning, I spotted another wave of malicious documents that (ab)use againÂ CVE-2017-11882Â in the Equation Editor (see myÂ yesterday’s diary). This time, malicious files are RTF files. One of the samples is SHA256:bc84bb7b07d196339c3f92933c5449e71808aa40a102774729ba6f1c152d5ee2 (VT score: 19/57)… [Read more]
[This blogpost has also been published as a guest diary on isc.sans.org] Like everybody, I’m receiving a lot of spam everyday but… I like it! All unsocilited received messages are storedÂ in a dedicated folder for two purposes: An automatic processing via my tool mime2vt A manual review at regular interval