Tools: oledump.py
Blog post: Cracking VBA Project Passwords
ISC Diary Entry: Cracking Maldoc VBA Project Passwords
malware
YARA’s BASE64 Strings
ISC Diary Entry: YARA’s BASE64 Strings
SANS@MIC – Maldocs: a bit of blue, a bit of red
Maldoc Analysis With xlm-deobfuscator
Sample: 82c12e7fe6cabf5edc0bdaa760b4b8c8
ISC Diary Entry: Zloader Maldoc Analysis With xlm-deobfuscator
zipdump.py: Malformed .docm File
Tools: zipdump.py
Blog post: Analyzing Malformed ZIP Files
Sample: c36e0ef657bc2137d4ee13a97528e7a12d2ffe7b8dc2b54c92f123b3f61845a6
ISC Diary Entry: Obfuscated with a Simple 0x0A
Stego & Cryptominers
Tools: format-bytes.py, pecheck.py, file-magic.py, cut-bytes.py.
Blog post: Steganography and Malware
Sample: DB043392816146BBE6E9F3FE669459FEA52A82A77A033C86FD5BC2F4569839C9
ISC Diary Entry: Video: Stego & Cryptominers
Analyzing Unusual ZIP Files
Analyzing .DWG Files With Embedded VBA Macros
Tools: oledump.py, cut-bytes.py.
Blog post: Analyzing .DWG Files With Embedded VBA Macros
ISC Diary entry: Malicious .DWG Files?
Encrypted Sextortion PDFs
Tools: pdfid.py and pdf-parser.py, QPDF and Poppler.
ISC diary entries: “Encrypted Sextortion PDFs”
Sample: 294592cd85ddf80ad1a092f955f1ae25
Analyzing DAA Files
Tools: search-for-compression.py
ISC diary entries: “Malicious .DAA Attachments” and “The DAA File Format”
Sample: 6e8947a82c97c26728dc590ed797ee23
