Analysis of a CVE-2017-0199 Malicious RTF Document

There is a new exploit (CVE-2017-0199) going around for which a patch was released by Microsoft on 11/04/2017. In this post, we analyze an RTF document exploiting this vulnerability and provide a YARA rule for detection. is a Python tool to analyze RTF documents. Running it on our sample produces a list with¬†all “entities” […]

Tracking threat actors through .LNK files

In the blog post¬†.LNK downloader and bitsadmin.exe in malicious Office document¬†we were asked the following question by Harlan Carvey: Did you parse the LNK file for things such as embedded MAC address, NetBIOS system name, any SID, and volume serial number? We did not do that at the time, however we see the value in […]

New Hancitor maldocs keep on coming…

Didier Stevens will provide NVISO training on malicious documents at Brucon Spring:¬†Malicious Documents for Blue and Red Teams. For more than half a year now we see malicious Office documents delivering Hancitor malware via a combination of VBA, shellcode and embedded executable. The VBA code decodes and executes the shellcode, the shellcode hunts for the […]

.LNK downloader and bitsadmin.exe in malicious Office document

We received a malicious office document (529581c1418fceda983336b002297a8e) that tricks the user into clicking on an embedded LNK¬†file which in its turn uses the¬†Microsoft Background Intelligent Transfer Service (BITS)¬†to download a malicious binary from the internet. The following Word document (in Japanese) claims to be an invoice, the user must click the Word icon to generate […]

Working with GFI Cloud anti-virus quarantine files

We were recently requested¬†to analyse a sample that was¬†quarantined by GFI Cloud anti-virus. Based on our previous experiences with various anti-virus products we wanted to obtain the sample directly from the quarantine rather than restoring it first. Anti-virus products use quarantine files to safely store files that were detected as being malicious and thus are […]

Analyzing an Office Maldoc with a VBA Emulator

Today we were¬†informed of another maldoc sample. After a quick look, we were¬†convinced that this sample would be a good candidate for Philippe Lagadec’s VBA emulator ViperMonkey. The maldoc in a nutshell: when the spreadsheet is opened, the VBA code builds a long JScript script and then executes it. This script contains base64 code for […]