There is a new exploit (CVE-2017-0199) going around for which a patch was released by Microsoft on 11/04/2017. In this post, we analyze an RTF document exploiting this vulnerability and provide a YARA rule for detection. rtfdump.py is a Python tool to analyze RTF documents. Running it on our sample produces a list with all "entities" … Continue reading Analysis of a CVE-2017-0199 Malicious RTF Document
Author: Didier Stevens
New Hancitor maldocs keep on coming…
Didier Stevens will provide NVISO training on malicious documents at Brucon Spring: Malicious Documents for Blue and Red Teams. For more than half a year now we see malicious Office documents delivering Hancitor malware via a combination of VBA, shellcode and embedded executable. The VBA code decodes and executes the shellcode, the shellcode hunts for the … Continue reading New Hancitor maldocs keep on coming…
Developing complex Suricata rules with Lua – part 2
In part 1 we showed a Lua program to have Suricata detect PDF documents with obfuscated /JavaScript names. In this second part we provide some tips to streamline the development of such programs. When it comes to developing Lua programs, Suricata is not the best development environment. The "write code & test"-cycle with Suricata can … Continue reading Developing complex Suricata rules with Lua – part 2
Developing complex Suricata rules with Lua – part 1
The Suricata detection engine supports rules written in the embeddable scripting language Lua. In this post we give a PoC Lua script to detect PDF documents with name obfuscation. One of the elements that make up a PDF, is a name. A name is a reserved word that starts with character / followed by alphanumerical characters. Example: /JavaScript. … Continue reading Developing complex Suricata rules with Lua – part 1
Hunting with YARA rules and ClamAV
Did you know the open-source anti-virus ClamAV supports YARA rules? What benefits can this bring to us? One of the important features ClamAV has is the file decomposition capability. Say that the file you want to analyze resides in an archive, or is a packed executable, then ClamAV will unarchive/unpack the file, and run the YARA … Continue reading Hunting with YARA rules and ClamAV
Maldoc: It’s not all VBA these days
Since late 2014 we witness a resurgence of campaigns spamming malicious Office documents with VBA macros. Sometimes however, we also see malicious Office documents exploiting relatively recent vulnerabilities. In this blog post we look at a malicious MS Office document that uses an exploit instead of VBA. The sample we received is 65495b359097c8fdce7fe30513b7c637. It exploits vulnerability CVE-2015-2545 … Continue reading Maldoc: It’s not all VBA these days