Evidence of VBA Purging Found in Malicious Documents

TL;DR We have found malicious Office documents containing VBA source code only, and no compiled code. Documents like these are more likely to evade anti-virus detection due to a technique we dubbed "VBA Purging". VBA Purging techniqueMalicious MS Office documents leveraging VBA, have their VBA code stored inside streams of Compound File Binary Format files. … Continue reading Evidence of VBA Purging Found in Malicious Documents

Analyzing a Malicious Spreadsheet Dropping a DLL

Introduction This week, we received a suspicious spreadsheet which was used as a malware dropper in a phishing campaign. The spreadsheet writes a DLL file to disk and subsequently executes it. In this blog post, we perform the full analysis of the suspicious spreadsheet. Analyzing the document The analysis of this Excel file starts with … Continue reading Analyzing a Malicious Spreadsheet Dropping a DLL

Malicious SYLK Files with MS Excel 4.0 Macros

Since about a week, we are seeing an increase of SYLK files submitted to VirusTotal. A SYLK file (SYmbolic LinK) is a pure text file format used to store Excel spreadsheets with extension .slk. Although SYLK files can't contain VBA macros, they can still contain executable code, for example DDE commands or MS Excel 4.0 … Continue reading Malicious SYLK Files with MS Excel 4.0 Macros

Differential Malware Analysis: An Example

There are many ways to analyze malware. In this blog post, we illustrate a typical analysis method: comparing an unknown sample with a known sample, to determine if the unknown sample is malicious or not. During one of our engagements, we came across a PDF document that triggered our anti-virus. What intrigued us, was that … Continue reading Differential Malware Analysis: An Example

PowerShell Inside a Certificate? – Part 3

In the first part of this series, we explained the internal structure of certificates and how this knowledge can help us detect fake certificates. In this part, we will provide different rules that you can use in your organization to detect these certificates. YARA This is the YARA rule that started this research: This YARA … Continue reading PowerShell Inside a Certificate? – Part 3

PowerShell Inside a Certificate? – Part 2

In our previous blogpost, we developed a method to detect certificate files that do not contain a real certificate. Trojanized certificates like these are often not detected by AV and IDS. Although we found all kinds of payloads, fake certificates containing a Windows executable appear to be the most common. In this post we will … Continue reading PowerShell Inside a Certificate? – Part 2

PowerShell Inside a Certificate? – Part 1

With the help of a specifically crafted YARA rule developed by NVISO analysts, we found multiple certificate files (.crt) that do not contain a certificate, but instead a malicious PowerShell script. In this blog post, we explain how we crafted this YARA rule. Certificates Certificate files in Windows can have different extensions, like .cer and … Continue reading PowerShell Inside a Certificate? – Part 1