Tools: oledump.py, YARA.
NVISO blog post: Detecting DDE in MS Office documents
ISC diary entry: DDE and oledump
my software
tshark & Malware Analysis
pdftool.py: Incremental Updates
Tool: pdftool.py
Blog posts: Solving a Little PDF Puzzle, Shoulder Surfing a Malicious PDF Author, New Tool: pdftool.py.
Decoding a Payload Using a Dynamic XOR Key
Tool: XORSelection.1sc
Sample: 8f4654952833b7d7b7db02ca7cb6c2f6cb9c3c545dc51124b0f18588b3c4e1c0
Blog post: Update: XORSelection.1sc Version 6.0
If you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation.
Doc & RTF Malicious Document
Inspecting Process Explorer Traffic With Fiddler
Tools: Fiddler, Process Explorer
ISC diary entry: Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working
Analyzing FireEye Maldocs
Tools: oledump.py, numbers-to-string.py
Sample: 41b70737fa8dda75d5e95c82699c2e9b
ISC diary entry: Analyzing FireEye Maldocs
oledump Indicators
Decrypting With translate.py
Tools: base64dump.py, translate.py
Blog post: Decrypting With translate.py
ISC diary entry: Decrypting PowerShell Payloads (video)
Example script: https://pastebin.com/QUGiWTHj
