Handler on Duty: Xavier Mertens
Threat Level: green
Didier Stevens Diaries
- Extracting Files Embedded Inside Word Documents
- Quickie: Mass BASE64 Decoding
- Quick & Dirty Obfuscated JavaScript Analysis
- Decrypting a PDF With a User Password
- Wireshark 4.4.2 Released
- Increase In Phishing SVG Attachments
- PDF Object Streams
- zipdump & PKZIP Records
- zipdump & Evasive ZIP Concatenation
- SANS Holiday Hack Challenge 2024
- Analyzing an Encrypted Phishing PDF
- qpdf: Extracting PDF Streams
- Wireshark 4.4.1 Released
- YARA-X's Dump Command
- YARA 4.5.2 Release
- Wireshark 4.4's IP Address Functions
- Password Cracking & Energy: More Dedails
- Python & Notepad++
- Protected OOXML Text Documents
- Wireshark 4.4: Converting Display Filters to BPF Capture Filters
- Wireshark 4.4.0 is now available
- Wireshark 4.4.0rc1's Custom Columns
- OOXML Spreadsheets Protected By Verifier Hashes
- CrowdStrike Outage Themed Maldoc
- Quickie: Password Cracking & Energy
- Create Your Own BSOD: NotMyFault
- Protected OOXML Spreadsheets
- Wireshark 4.2.6 Released
- 16-bit Hash Collisions in .xls Spreadsheets
- Sysinternals' Process Monitor Version 4 Released
- Handling BOM MIME Files
- Overview of My Tools That Handle JSON Data
- A Wireshark Lua Dissector for Fixed Field Length Protocols
- YARA 4.5.1 Release
- csvkit
- Analyzing MSG Files
- Wireshark 4.2.5 Released
- Another PDF Streams Example: Extracting JPEGs
- DNS Suffixes on Windows
- Analyzing PDF Streams
- nslookup's Debug Options
- Checking CSV Files
- Wireshark 4.2.4 Released
- 1768.py's Experimental Mode
- Obfuscated Hexadecimal Payload
- Update: MGLNDD_* Scans
- YARA 4.5.0 Release
- Wireshark 4.2.3 Released
- IPv4-mapped IPv6 Address Used For Obfuscation
- Cobalt Strike's "Runtime Configuration"
- OVA Files
- Wireshark 4.2.0 Released
- Quick Tip For Artificially Inflated PE Files
- base64dump.py Handles More Encodings Than Just BASE64
- ZIP's DOSTIME & DOSDATE Formats
- Wireshark 4.2.0 First Release Candidate
- Binary IPv6 Addresses
- Friendly Reminder: ZIP Metadata is Not Encrypted
- Analyzing MIME Files: a Quick Tip
- IPv4 Addresses in Little Endian Decimal Format
- YARA Support for .LNK Files
- Quickie: Generating a YARA Rule to Detect Obfuscated Strings
- Creating a YARA Rule to Detect Obfuscated Strings
- Analysis of a Defective Phishing PDF
- Analysis of RAR Exploit Files (CVE-2023-38831)
- PDFiD: False Positives Revisited
- YARA Error Codes
- Brute-Force ZIP Password Cracking with zipdump.py: FP Fix
- Wireshark 4.0.7 Released
- Analysis Method for Custom Encoding
- Brute-Force ZIP Password Cracking with zipdump.py
- Deobfuscating a VBS Script With Custom Encoding
- Analyzing Office Documents Embedded Inside PPT (PowerPoint) Files
- Wireshark 4.0.6 Released
- Another Malicious HTA File Analysis - Part 3
- Quickly Finding Encoded Payloads in Office Documents
- VBA Project References
- Deobfuscating Scripts: When Encodings Help
- Wireshark 4.0.5 Released
- YARA v4.3.1 Release
- Another Malicious HTA File Analysis - Part 2
- Chrome's Download Tab: Dangerous Files
- Update: oledump & MSI Files
- YARA v4.3.0 Release
- Extracting Multiple Streams From OLE Files
- Another Malicious HTA File Analysis - Part 1
- Extra: "String Obfuscation: Character Pair Reversal"
- CyberChef Version 10 Released
- Windows 11 Snipping Tool Privacy Bug: Inspecting PNG Files
- String Obfuscation: Character Pair Reversal
- YARA: Detect The Unexpected ...
- oledump & MSI Files
- Crypto Inside a Browser
- OneNote Suricata Rules
- "Unsupported 16-bit Application" or HTML?
- Video: Analyzing Malicious OneNote Documents
- Sysinternals Updates: RDCMan v2.92, Sysmon v14.14, and ZoomIt v6.12
- Detecting (Malicious) OneNote Files
- Wireshark 4.0.3 Released
- YARA v4.3.0-rc1 --skip-larger
- YARA v4.3.0-rc1 --print-xor-key
- CyberChef & Entropy
- Quickie: CyberChef Sorting By String Length
- Open Now: 2022 SANS Holiday Hack Challenge & KringleCon
- VLC's Check For Updates: No Updates?
- Finger.exe LOLBin
- Extracting Information From "logfmt" Files With CyberChef
- Update: IPv4 Address Representations
- IPv4 Address Representations
- Sysinternals Updates: Process Explorer v17.0, Handle v5.0, Process Monitor v3.92 and Sysmon v14.11
- Quickie: CyberChef & Microsoft Script Decoding
- Video: PNG Analysis
- rtfdump's Find Option
- Video: Analysis of a Malicious HTML File (QBot)
- Analysis of a Malicious HTML File (QBot)
- Wireshark: Specifying a Protocol Stack Layer in Display Filters
- Curl's resolve Option
- Wireshark 4.0.0 Released
- Sysmon v14.1 Release
- PNG Analysis
- Downloading Samples From Takendown Domains
- Maldoc Analysis Info On MalwareBazaar
- Video: Grep & Tail -f With Notepad++
- Video: Analyzing Obfuscated VBS with CyberChef
- Word Maldoc With CustomXML and Renamed VBAProject.bin
- Wireshark 3.6.8 and 4.0.0rc1 Released
- Maldoc With Decoy BASE64
- Analyzing Obfuscated VBS with CyberChef
- Analysis of an Encoded Cobalt Strike Beacon
- Quickie: Grep & Tail -f With Notepad++
- Video: VBA Maldoc & UTF7 (APT-C-35)
- Video: James Webb JPEG With Malware
- James Webb JPEG With Malware
- Update: VBA Maldoc & UTF7 (APT-C-35)
- Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
- Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01
- YARA 4.2.3 Released
- VBA Maldoc & UTF7 (APT-C-35)
- Wireshark 3.6.7 Released
- Video: Maldoc: non-ASCII VBA Identifiers
- Maldoc: non-ASCII VBA Identifiers
- Adding Your Own Keywords To My PDF Tools
- Python: Files In Use By Another Process
- 7-Zip Editing & MoW
- 7-Zip & MoW: "For Office files"
- 7-Zip & MoW
- YARA 4.2.2 Released
- My Paste Command
- More Decoding Analysis
- Video: Decoding Obfuscated BASE64 Statistically
- Wireshark 3.6.6 Released
- Decoding Obfuscated BASE64 Statistically
- Quickie: Follina, RTF & Explorer Preview Pane
- "ms-msdt" RTF Maldoc Analysis: oledump Plugins
- Analysis Of An "ms-msdt" RTF Maldoc
- Extracting The Overlay Of A PE File
- Huge Signed PE File: Keeping The Signature
- Huge Signed PE File
- Wireshark 3.6.5 Released
- Quick Analysis Of Phishing MSG
- Detecting VSTO Office Files With ExifTool
- YARA 4.2.1 Released
- Analyzing a Phishing Word Document
- Sysmon's RegistryEvent (Value Set)
- Video: Office Protects You From Malicious ISO Files
- Office Protects You From Malicious ISO Files
- Video: Method For String Extraction Filtering
- Method For String Extraction Filtering
- jo
- curl 7.82.0 Adds --json Option
- Quickie: Parsing XLSB Documents
- Video: Maldoc Cleaned by Anti-Virus
- Wireshark 3.6.3 Released
- Maldoc Cleaned by Anti-Virus
- MGLNDD_* Scans
- SolarWinds Advisory: Unauthenticated Access in Web Help Desk (12.7.5)
- Curl on Windows
- YARA 4.2.0 Released
- ICMP Messages: Original Datagram Field
- Video: TShark & Multiple IP Addresses
- oledump's Extra Option
- TShark & Multiple IP Addresses
- Video: Quick & Dirty Shellcode Analysis - CVE-2017-11882
- Windows, Fixed IPv4 Addresses and APIPA
- Sending an Email to an IPv4 Address?
- Video: YARA's Console Module
- Wireshark 3.6.2 Released
- Power over Ethernet and Thermal Imaging
- YARA's Console Module
- Extracting Cobalt Strike Beacons from MSBuild Scripts
- TShark & jq
- Expect Regressions
- Quicktip: TShark's Options -e and -T
- TShark Tip: Extracting Field Values From Capture Files
- Office 2021: VBA Project Version
- Wireshark 3.6.0 Released
- Video: YARA Rules for Office Maldocs
- Video: SANS Holiday Hack Challenge 2021 Q&A with Ed Skoudis
- YARA's Private Strings
- YARA Rule for OOXML Maldocs: Less False Positives
- Simple YARA Rules for Office Maldocs
- Backdooring PAM
- External Email System FBI Compromised: Sending Out Fake Warnings
- Video: Obfuscated Maldoc: Reversed BASE64
- Obfuscated Maldoc: Reversed BASE64
- Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
- Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
- Video: Phishing ZIP With Malformed Filename
- Sysinternals: Autoruns and Sysmon updates
- Decrypting Cobalt Strike Traffic With a "Leaked" Private Key
- Phishing ZIP With Malformed Filename
- Reader Malware: ZIP/HTML Phish
- YARA Release v4.1.3
- Wireshark 3.4.9 Released
- Video: CVE-2021-40444 Maldocs: Extracting URLs
- Video: Strings Analysis: VBA & Excel4 Maldoc
- Strings Analysis: VBA & Excel4 Maldoc
- An XML-Obfuscated Office Document (CVE-2021-40444)
- Video: Simple Analysis Of A CVE-2021-40444 .docx Document
- Simple Analysis Of A CVE-2021-40444 .docx Document
- .docx With Embedded EXE
- New Versions Of Sysinternals Tools
- Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches
- Simple Tips For Triage Of MALWARE Bazaar's Daily Malware Batches
- MALWARE Bazaar "Download daily malware batches"
- Changing BAT Files On The Fly
- procdump Version 10.1
- Failed Malspam: Recovering The Password
- Wireshark 3.4.7 Released
- Video: CyberChef BASE85 Decoding
- BASE85 Decoding With base64dump.py
- DIY CD/DVD Destruction - Follow Up
- Finding Strings With oledump.py
- CFBF Files Strings Analysis
- DIY CD/DVD Destruction
- Video: oledump Cheat Sheet
- Video: Cobalt Strike & DNS - Part 1
- Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update
- YARA Release v4.1.1
- Video: Making Sense Of Encrypted Cobalt Strike Traffic
- PuTTY And FileZilla Use The Same Fingerprint Registry Keys
- YARA Release v4.1.0
- CAD: .DGN and .MVBA Files
- Sysinternals: Procmon and Sysmon update
- Wireshark 3.4.5 Released
- Decoding Cobalt Strike Traffic
- Example of Cleartext Cobalt Strike Traffic (Thanks Brad)
- YARA and CyberChef: ZIP
- Video: YARA and CyberChef
- TCPView v4.0 Released
- Nim Strings
- Video: Finding Metasploit & Cobalt Strike URLs
- YARA Pre-release v4.1.0
- Finding Metasploit & Cobalt Strike URLs
- Wireshark 3.4.4 Released
- YARA and CyberChef
- PCAPs and Beacons
- Maldocs: Protection Passwords
- Unprotecting Malicious Documents For Inspection
- DDE and oledump
- Quickie: Extracting HTTP URLs With tshark
- Video: tshark & Malware Analysis
- Quickie: tshark & Malware Analysis
- YARA v4.0.5
- Wireshark 3.4.3 Released
- YARA v4.0.4
- Video: Doc & RTF Malicious Document
- CyberChef: Analyzing OOXML Files for URLs
- Doc & RTF Malicious Document
- New Release of Sysmon Adding Detection for Process Tampering
- Maldoc Analysis With CyberChef
- Maldoc Strings Analysis
- Strings 2021
- Quickie: Bit Shifting With translate.py
- base64dump.py Supported Encodings
- Quickie: String Analysis & Maldocs
- Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working
- Wireshark 3.4.2 Released
- Analyzing FireEye Maldocs
- KringleCon 2020
- Wireshark 3.4.1 Released
- Office 95 Excel 4 Macros
- Corrupt BASE64 Strings: Detection and Decoding
- oledump's Indicators (video)
- Decrypting PowerShell Payloads (video)
- Quick Tip: Using JARM With a SOCKS Proxy
- Quick Tip: Cobalt Strike Beacon Analysis
- Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format
- oledump's ! Indicator
- Quick Tip: Extracting all VBA Code from a Maldoc
- AV Cleaned Maldoc
- Wireshark 3.2.8 and 3.4.0 Released
- More File Selection Gaffes
- Excel 4 Macros: "Abnormal Sheet Visibility"
- Video: Pascal Strings
- File Selection Gaffe
- Nested .MSGs: Turtles All The Way Down
- Analyzing MSG Files With plugin_msg_summary
- Open Packaging Conventions
- Obfuscation and Repetition
- Nmap 7.90 Released
- Decoding Corrupt BASE64 Strings
- Wireshark 3.2.7 Released
- Office Documents with Embedded Objects
- Office: About OLE and ZIP Files
- Finding The Original Maldoc
- Malicious Excel Sheet with a NULL VT Score: More Info
- Small Challenge: A Simple Word Maldoc - Part 4
- Small Challenge: A Simple Word Maldoc - Part 3
- Wireshark 3.2.6 Released
- Small Challenge: A Simple Word Maldoc - Part 2
- Small Challenge: A Simple Word Maldoc
- Analyzing Metasploit ASP .NET Payloads
- Cracking Maldoc VBA Project Passwords
- ndisasm Update 2.15
- Zone.Identifier: A Couple Of Observations
- VBA Project Passwords
- Maldoc: VBA Purging Example
- CVE-2020-5902: F5 BIG-IP RCE Vulnerability
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt
- Wireshark 3.2.5 Released
- Sysmon and Alternate Data Streams
- Video: YARA's BASE64 Strings
- Comparing Office Documents with WinMerge
- ISC Handler Series: SANS@MIC - Maldocs: a bit of blue, a bit of red
- YARA's BASE64 Strings
- Translating BASE64 Obfuscated Scripts
- XLMMacroDeobfuscator: An Update
- YARA v4.0.1
- Zloader Maldoc Analysis With xlm-deobfuscator
- Wireshark 3.2.4 Released
- Some Strings to Remember
- Antivirus & Multiple Detections
- Excel 4 Macro Analysis: XLMMacroDeobfuscator
- YARA v4.0.0: BASE64 Strings
- Sysmon and File Deletion
- ZIP & AES
- Video: Malformed .docm File
- MALWARE Bazaar
- KPOT AutoIt Script: Analysis
- KPOT Analysis: Obtaining the Decrypted KPOT EXE
- Reader Analysis: "Dynamic analysis technique to get decrypted KPOT Malware."
- Wireshark 3.2.3 Released: Mac Users Pay Attention Please
- Password Protected Malicious Excel Files
- New Bypass Technique or Corrupt Word Document?
- Obfuscated Excel 4 Macros
- Covid19 Domain Classifier
- Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability
- KPOT Deployed via AutoIt Script
- More COVID-19 Themed Malware
- Phishing PDF With Incremental Updates.
- Malicious Spreadsheet With Data Connection and Excel 4 Macros
- Excel Maldocs: Hidden Sheets
- Wireshark 3.2.2 Released: Windows' Users Pay Attention Please
- Maldoc: Excel 4 Macros and VBA, Devil and Angel?
- Maldoc: Excel 4 Macros in OOXML Format
- curl and SSPI
- bsdtar on Windows 10
- Video: Stego & Cryptominers
- Wireshark 3.2.1 Released
- Citrix ADC Exploits: Overview of Observed Payloads
- etl2pcapng: Convert .etl Capture Files To .pcapng Format
- KringleCon 2019
- "Nim httpclient/1.0.4"
- Corrupt Office Documents
- New oledump.py plugin: plugin_version_vba
- Extracting VBA Macros From .DWG Files
- Wireshark 3.2.0 Released
- Malicious .DWG Files?
- VirusTotal Email Submissions
- (Lazy) Sunday Maldoc Analysis: A Bit More ...
- (Lazy) Sunday Maldoc Analysis
- Wireshark 3.0.7 Released
- You Too? "Unusual Activity with Double Base64 Encoding"
- Remark on EML Attachments
- Tip: Password Managers and 2FA
- Using scdbg to Find Shellcode
- Wireshark 3.0.6 Released
- YARA's XOR Modifier
- YARA v3.11.0 released
- Maldoc, PowerShell & BITS
- Encrypted Maldoc, Wrong Password
- YARA XOR Strings: an Update
- Video: Encrypted Sextortion PDFs
- Wireshark 3.0.5 Release: Potential Windows Crash when Updating
- Encrypted Sextortion PDFs
- Compressed ISO Files (ISZ)
- Video: Analyzing DAA Files
- The DAA File Format
- Analysis of a Spearphishing Maldoc
- Malicious .DAA Attachments
- Nmap Defcon Release: 7.80
- Detecting ZLIB Compression
- Recognizing ZLIB Compression
- Video: Analyzing Compressed PowerShell Scripts
- A Python TCP proxy
- Analyzing Compressed PowerShell Scripts
- Malicious RTF Analysis CVE-2017-11882 by a Reader
- isodump.py and Malicious ISO Files
- Machine Code? No!
- Malicious XSL Files
- Machine Code?
- A "Stream O" Maldoc
- Maldoc: Payloads in User Forms
- Sysmon Version 10: DNS Logging
- Tip: Sysmon Will Log DNS Queries
- Tip: BASE64 Encoded PowerShell Scripts are Recognizable by the Amount of Letter As
- Retrieving Second Stage Payload with Ncat
- Analyzing First Stage Shellcode
- Office Document & BASE64? PowerShell!
- nmap Service Fingerprint
- Video: nmap Service Detection Customization
- Do You Remember the SUBST Command?
- Text and T
e x t - VBA Office Document: Which Version?
- Quick Tip for Dissecting CVE-2017-11882 Exploits
- Malicious VBA Office Document Without Source Code
- .rar Files and ACE Exploit CVE-2018-20250
- Analyzing UDF Files with Python
- Analysis of PDFs Created with OpenOffice/LibreOffice
- Maldoc Analysis of the Weekend by a Reader
- "404" is not Malware
- "VelvetSweatshop" Maldocs: Shellcode Analysis
- Decoding QR Codes with Python
- "VelvetSweatshop" Maldocs
- Wireshark 3.0.0 and Npcap: Some Remarks
- Video: Maldoc Analysis: Excel 4.0 Macro
- Maldoc: Excel 4.0 Macros
- Tip: Ghidra & ZIP Files
- Wireshark 3.0.0 and Npcap
- Quick and Dirty Malicious HTA Analysis
- Malicious HTA Analysis by a Reader
- Maldoc Analysis by a Reader
- Sextortion Email Variant: With QR Code
- Identifying Files: Failure Happens
- Know What You Are Logging
- Video: Finding Property Values in Office Documents
- Finding Property Values in Office Documents
- Have You Seen an Email Virus Recently?
- Video: Maldoc Analysis of the Weekend
- Maldoc Analysis of the Weekend
- Video: Analyzing a Simple HTML Phishing Attachment
- Video: Analyzing Encrypted Malicious Office Documents
- Suspicious GET Request: Do You Know What This Is?
- Quick Maldoc Analysis
- Analyzing Encrypted Malicious Office Documents
- Malicious .tar Attachments
- A Malicious JPEG? Second Example
- A Malicious JPEG?
- Maldoc with Nonfunctional Shellcode
- Make a Wheel in 2019!
- Software Crashes: A New Year's Resolution
- Video: De-DOSfuscation Example
- Matryoshka Phish
- Bitcoin "Blocklists"
- KringleCon 2018
- Password Protected ZIP with Maldoc
- De-DOSfuscation Example
- Yet Another DOSfuscation Sample
- Quickie: String Analysis is Still Useful
- Reader Malware Submission: MHT File Inside a ZIP File
- Word maldoc: yet another place to hide a command
- Video: Dissecting a CVE-2017-11882 Exploit
- Wireshark update 2.6.5 available
- Video: CyberChef: BASE64/XOR Recipe
- Dissecting a CVE-2017-11882 Exploit
- TriJklcj2HIUCheDES decryption failed?
- Windows Defender's Sandbox
- Maldoc Duplicating PowerShell Prior to Use
- Detecting Compressed RTF
- MSG Files: Compressed RTF
- CyberChef: BASE64/XOR Recipe
- Maldoc: Once More It's XOR
- YARA XOR Strings: Some Remarks
- YARA: XOR Strings
- Developing YARA Rules: a Practical Example
- Decoding Custom Substitution Encodings with translate.py
- When DOSfuscation Helps...
- Analyzing Encoded Shellcode with scdbg
- Suspicious DNS Requests ... Issued by a Firewall
- 20/20 malware vision
- User Agent String "$ua.tools.random()" ? :-) !
- "What is dikona or glirote3?"
- Video: Using scdbg to analyze shellcode
- Another quickie: Using scdbg to analyze shellcode
- "When was this machine infected?"
- Identifying numeric obfuscation
- Microsoft Publisher malware: static analysis
- OpenSSH user enumeration (CVE-2018-15473)
- Video: Peeking into msg files - revisited
- New Extortion Tricks: Now Including Your (Partial) Phone Number!
- A URL shortener handy for phishers
- Peeking into msg files - revisited
- Numeric obfuscation: another example
- Video: Maldoc analysis with standard Linux tools
- Dealing with numeric obfuscation in malicious scripts
- Malicious Word documents using DOSfuscation
- Analyzing MSG files
- Maldoc analysis with standard Linux tools
- BTC pickpockets are back
- Extracting BTC addresses from emails
- Video: Retrieving and processing JSON data (BTC example)
- Retrieving and processing JSON data (BTC example)
- dd progress indicator on OSX
- dd progress indicator on Linux
- XPS Metadata
- Progress indication for scripts on Windows
- Video: Analyzing XPS Files
- XPS samples
- Analyzing XPS files
- Guilty by association
- Encrypted Office Documents
- Quick analysis of malware created with NSIS
- DASAN GPON home routers exploits in-the-wild
- New IE 0-day in the wild
- A malicious word document with a VBA form - video
- A malicious word document with a VBA form
- Metasploit's Payload UUID
- Phishing PDFs with multiple links - Detection
- Phishing PDFs with multiple links - Animated GIF
- Phishing PDFs with multiple links
- "Error 19874: You must have Office Professional Edition to read this content, please upgrade your licence."
- Wireshark and USB
- Retrieving malware over Tor on Windows
- Analyzing MSI files
- Finding VBA signatures in .docm files
- Analyzing compressed shellcode
- Finding VBA signatures in Word documents
- An autograph from the Dridex gang
- Analyzing an HTA file: Update
- Analyzing an HTA file
- Comment your Packet Captures - Extra!
- Is this a pentest?
- HTTPS on every port?
- Retrieving malware over Tor
- An RTF phish
- Decrypting malicious PDFs with the key
- Peeking into Excel files
- PDF documents & URLs: video
- What is new?
- Analyzing TNEF files
- Dealing with obfuscated RTF files
- PDF documents & URLs: update
- Encrypted PDFs
- Phish or scam? - Part 2
- Phish or scam? - Part 1
- Sometimes it's a dud
- BTC Pickpockets
- Metasploit's Maldoc
- Extracting the text from PDF documents
- PDF documents & URLs
- PE files and debug info
- Remember ACE files?
- It's in the signature.
- Peeking into .msg files
- A strange JPEG file
- It is a resume - Part 3
- Analyzing JPEG files
- Malware analysis output sanitization
- It is a resume - Part 2
- It is a resume - Part 1
- Malware analysis: searching for dots
- It's Not An Invoice ...
- Sometimes it's just SPAM
- The Good Phishing Email
- Maldoc Analysis with ViperMonkey
- Maldoc Submitted and Analyzed
- Static Analysis of Emotet Maldoc
- Another .lnk File
- Malicious .iso Attachments
- Office maldoc + .lnk
- Basic Office maldoc analysis
- Selecting domains with random names
- PE Section Name Descriptions
- Malware and XOR - Part 2
- Malware and XOR - Part 1
- Malicious Documents: A Bit Of News
- Password History: Insights Shared by a Reader
- Domain Whitelisting With Alexa and Umbrella Lists - update
- Domain Whitelisting With Alexa and Umbrella Lists
- Another example of maldoc string obfuscation, with extra bonus: UAC bypass
- CRA Maldoc Analysis
- py2exe Decompiling - Part 2
- py2exe Decompiling - Part 1
- Pinging All The Way
- Sleeping VBS Really Wants To Sleep
- Hancitor Maldoc Videos
- Extracting Shellcode From JavaScript
- Update:ZIP With Comment
- ZIP With Comment
- VBA Shellcode and Windows 10
- VBA Shellcode and EMET
- Hancitor Maldoc Bypasses Application Whitelisting
- Maldoc VBA Anti-Analysis: Video
- Analyzing Office Maldocs With Decoder.xls
- Maldoc VBA Anti-Analysis
- Radare2: rahash2
- VBA and P-code
- .PUB Analysis
- rtfdump
- rtfobj
- Malicious RTF Files
- Python Malware - Part 4
- Practice ntds.dit File
- Office Maldoc: Let's Focus on the VBA Macros Later...
- Python Malware - Part 3
- Python Malware - Part 2
- Python Malware - Part 1
- VBS + VBE
- Handling Malware Samples
- VBE: Encoded VBS Script
- Tip: Quick Analysis of Office Maldoc
- Locky: JavaScript Deobfuscation
- Obfuscated MIME Files
- Sigcheck and VirusTotal for Offline Machine
- BlackEnergy .XLS Dropper
- A Tip For The Analysis Of MIME Files
- Failure Is An Option
- Malfunctioning Malware
- Use The Privilege
- Maldoc Social Engineering Trick
- Ransomware & Entropy: Your Turn -> Solution
- Ransomware & Entropy: Your Turn
- Ransomware & Entropy
- Don't launch that file Adobe Reader!
- Test File: PDF With Embedded DOC Dropping EICAR
- PDF + maldoc1 = maldoc2
- Sigcheck and virustotal-search
- Searching Through the VirusTotal Database
- Sigcheck and VirusTotal
- Autoruns and VirusTotal
- Process Explorer and VirusTotal
- Jump List Files Are OLE Files
- Working with base64
- A .BUP File Is An OLE File
- Analyzing Quarantine Files
- The EICAR Test File
- Another Maldoc? I'm Afraid So...
- Wireshark TCP Flags: How To Install On Windows Video
- Malicious Word Document: This Time The Maldoc Is A MIME File
- A Malicious Word Document Inside a PDF Document
- Handling Special PDF Compression Methods
- Memory Forensics Of Network Devices
- The Kill Chain: Now With Pastebin
- Wireshark TCP Flags
- VMware Product Updates Address Critical Information Disclosure Issue In JRE
- SSH Fingerprints Are Important
- YARA Rules For Shellcode
- Malicious XML: Matryoshka Edition
- From PEiD To YARA
- Maldoc VBA Sandbox/Virtualization Detection
- XML: A New Vector For An Old Trick