This blogpost will be a bit different, as it's going to tell a bit of a story... In this blogpost I want to achieve 2 objectives: address a question I keep hearing and seeing pop up in my DM every now and then, "how do I become a red teamer/ how do I become a … Continue reading I Solemnly Swear I Am Up To No Good. Introducing the Marauders Map
In July 2020, NVISO detected a set of malicious Excel documents, also known as “maldocs”, that deliver malware through VBA-activated spreadsheets. While the malicious VBA code and the dropped payloads were something we had seen before, it was the specific way in which the Excel documents themselves were created that caught our attention. The creators … Continue reading Epic Manchego – atypical maldoc delivery brings flurry of infostealers
TL;DR Macro code in Office documents can be digitally signed, and Office can be configured to restrict macro execution to digitally signed documents. We found a method to alter digitally signed VBA projects to execute our own, arbitrary code under the right conditions, without invalidating the digital signature. When we recommend clients to harden their … Continue reading Tampering with Digitally Signed VBA Projects
TL;DR We have found malicious Office documents containing VBA source code only, and no compiled code. Documents like these are more likely to evade anti-virus detection due to a technique we dubbed "VBA Purging". VBA Purging techniqueMalicious MS Office documents leveraging VBA, have their VBA code stored inside streams of Compound File Binary Format files. … Continue reading Evidence of VBA Purging Found in Malicious Documents
Introduction This week, we received a suspicious spreadsheet which was used as a malware dropper in a phishing campaign. The spreadsheet writes a DLL file to disk and subsequently executes it. In this blog post, we perform the full analysis of the suspicious spreadsheet. Analyzing the document The analysis of this Excel file starts with … Continue reading Analyzing a Malicious Spreadsheet Dropping a DLL
Since about a week, we are seeing an increase of SYLK files submitted to VirusTotal. A SYLK file (SYmbolic LinK) is a pure text file format used to store Excel spreadsheets with extension .slk. Although SYLK files can't contain VBA macros, they can still contain executable code, for example DDE commands or MS Excel 4.0 … Continue reading Malicious SYLK Files with MS Excel 4.0 Macros
A while ago, a new technique was developed to execute arbitrary code via a Word document: an online video is embedded and the HTML code for the embedded video is modified with JavaScript that launches a Windows executable. This technique does not rely on VBA macros and requires the use of the .docx format (for … Continue reading Detecting and Analyzing Microsoft Office Online Video
There are many ways to analyze malware. In this blog post, we illustrate a typical analysis method: comparing an unknown sample with a known sample, to determine if the unknown sample is malicious or not. During one of our engagements, we came across a PDF document that triggered our anti-virus. What intrigued us, was that … Continue reading Differential Malware Analysis: An Example
A variation of a class of malicious PDFs appeared in the wild. In this blog post, we will show you how to protect your systems and how to analyze these PDFs. The PDFs embed a file type with extension .SettingContent-ms that can be used on Windows 10 to execute arbitrary code. We have observed on … Continue reading Shortcomings of blacklisting in Adobe Reader and what you can do about it
In May 2018, when ESET published a blog post covering PDFs with 2 zero days, our interest was immediately piqued. Promptly after our analysis of these PDFs, we send out an early warning to our customers. Now that Microsoft published a blog post with the detailed analysis of the zero days, we find it appropriate … Continue reading Extracting a Windows Zero-Day from an Adobe Reader Zero-Day PDF
