We received a malicious office document (529581c1418fceda983336b002297a8e) that tricks the user into clicking on an embedded LNK file which in its turn uses the Microsoft Background Intelligent Transfer Service (BITS) to download a malicious binary from the internet. The following Word document (in Japanese) claims to be an invoice, the user must click the Word icon to generate … Continue reading .LNK downloader and bitsadmin.exe in malicious Office document →

Today we were informed of another maldoc sample. After a quick look, we were convinced that this sample would be a good candidate for Philippe Lagadec's VBA emulator ViperMonkey. The maldoc in a nutshell: when the spreadsheet is opened, the VBA code builds a long JScript script and then executes it. This script contains base64 code for … Continue reading Analyzing an Office Maldoc with a VBA Emulator →

In this blog post I want to show how a malicious document (maldoc) behaves and how it can be analyzed with free tools. A couple of weeks ago many users in Belgium received an e-mail, supposedly from a courier company, informing them that a package was waiting for them (article in Dutch). This is an example … Continue reading Malicious Document Targets Belgian Users →