Working with GFI Cloud anti-virus quarantine files

We were recently requested to analyse a sample that was quarantined by GFI Cloud anti-virus. Based on our previous experiences with various anti-virus products we wanted to obtain the sample directly from the quarantine rather than restoring it first. Anti-virus products use quarantine files to safely store files that were detected as being malicious and thus are … Continue reading Working with GFI Cloud anti-virus quarantine files →

Detecting py2exe Executables: YARA Rule

Following the release of the tool to decompile EXE files generated with py2exe, we release a YARA rule to detect such EXE files. Imagine you receive an executable for analysis. If you go for static analysis, it's useful to know how the executable was produced. For example, if it was "converted" from Python to EXE, decompiling … Continue reading Detecting py2exe Executables: YARA Rule →

Decompiling py2exe Executables

We had to decompile an executable (.exe) generated with py2exe for Python 3. py2exe takes a Python program and generates a Windows executable. This .exe file contains the Python bytecode of the program, a Python interpreter and all the necessary modules. The bytecode is stored as a resource inside the .exe file. unpy2exe will extract … Continue reading Decompiling py2exe Executables →

PDF Analysis: Back To Basics

When you receive a suspicious PDF these days, it could be just a scam without malicious code. Let's see how to analyze such samples with PDF Tools. As always, we first take a look with pdfid: There's nothing special to see, but we have to check the content of the Stream Objects (/ObjStm): Still nothing special … Continue reading PDF Analysis: Back To Basics →

Videos: Analyzing an Office Maldoc with a VBA Emulator

We produced 2 videos for our blog post Analyzing an Office Maldoc with a VBA Emulator. The first video shows ViperMonkey in action: https://www.youtube.com/watch?v=jAUg2nrt4Fw The second video shows how to extract the EXE: https://www.youtube.com/watch?v=n5oRMmSdCr8

Analyzing an Office Maldoc with a VBA Emulator

Today we were informed of another maldoc sample. After a quick look, we were convinced that this sample would be a good candidate for Philippe Lagadec's VBA emulator ViperMonkey. The maldoc in a nutshell: when the spreadsheet is opened, the VBA code builds a long JScript script and then executes it. This script contains base64 code for … Continue reading Analyzing an Office Maldoc with a VBA Emulator →