Hunting with YARA rules and ClamAV

Did you know the open-source anti-virus ClamAV supports YARA rules? What benefits can this bring to us? One of the¬†important features ClamAV has is the file decomposition capability. Say that the file you want to analyze resides in an archive, or is a packed executable, then ClamAV will unarchive/unpack the file, and run the YARA … Continue reading Hunting with YARA rules and ClamAV

Maldoc: It’s not all VBA these days

Since late 2014 we witness a resurgence of campaigns spamming malicious Office documents with VBA macros. Sometimes however, we also see malicious Office documents exploiting relatively recent vulnerabilities. In this blog post we look at a malicious MS Office document that uses an exploit instead of VBA. The sample we received is¬†65495b359097c8fdce7fe30513b7c637. It exploits vulnerability¬†CVE-2015-2545 … Continue reading Maldoc: It’s not all VBA these days

Working with GFI Cloud anti-virus quarantine files

We were recently requested¬†to analyse a sample that was¬†quarantined by GFI Cloud anti-virus. Based on our previous experiences with various anti-virus products we wanted to obtain the sample directly from the quarantine rather than restoring it first. Anti-virus products use quarantine files to safely store files that were detected as being malicious and thus are … Continue reading Working with GFI Cloud anti-virus quarantine files