Tools: parse-cs-http-traffic.py, 1768.py, pecheck.py and pybeacon.
ISC diary entry: Decoding Cobalt Strike Traffic
YARA and CyberChef: ZIP
YARA and CyberChef
Finding Metasploit & Cobalt Strike URLs
oledump and YARA DDE Rules
Tools: oledump.py, YARA.
NVISO blog post: Detecting DDE in MS Office documents
ISC diary entry: DDE and oledump
tshark & Malware Analysis
pdftool.py: Incremental Updates
Tool: pdftool.py
Blog posts: Solving a Little PDF Puzzle, Shoulder Surfing a Malicious PDF Author, New Tool: pdftool.py.
Decoding a Payload Using a Dynamic XOR Key
Tool: XORSelection.1sc
Sample: 8f4654952833b7d7b7db02ca7cb6c2f6cb9c3c545dc51124b0f18588b3c4e1c0
Blog post: Update: XORSelection.1sc Version 6.0
If you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation.
Doc & RTF Malicious Document
CyberChef: Analyzing OOXML Files for URLs
Tools: CyberChef
CyberChef Recipe: here
Sample: f84b3a056abcbcfd5976afe8776a35c5894b379e65c411ddc421941d3a2a4b8b
ISC diary entry: Doc & RTF Malicious Document
