Security

Cyber Security, IT Security, Cyber Defence

Weaponized File Formats

This is a series of articles about file formats and related security issues. In 2003 I had presented an article in French about this subject at the SSTIC conference: [SSTIC03]. In the following articles I will provide an updated version in English with more information about common file formats.

How to find data hidden at the end of an OLE file

"Would it be possible to add a method to olefile that returns bytes that are appended to an OLE file? I have a sample that has encoded EXE appended."

When Didier Stevens asked me that question some time ago, I thought it would be easy, a matter of minutes. Indeed, the OLE format (aka Microsoft Compound File Binary Format) is structured and well specified in MS-CFB.

VBA Macros Pest Control - THC 2017

Presentation at the Toulouse Hacking Convention 2017 about Malicious VBA Macros: what they can do, how to analyze them, and how we can detect and block them before they hit end-users.

 

Articles and presentations about Cyber Security

Here is a list of all articles and presentations I have published about Cyber Security so far.

Tools to extract VBA Macro source code from MS Office Documents

This article presents several tools that can be used to extract VBA Macros source code from MS Office Documents, for malware analysis and forensics. It also provides an overview of how VBA Macros are stored.

olefile - a Python module to read/write MS OLE2 files

olefile (formerly OleFileIO_PL) is a Python package to parse, read and write Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office 97-2003 documents, vbaProject.bin in MS Office 2007+ files, Image Composer and FlashPix files, Outlook MSG files, StickyNotes, several Microscopy file formats, McAfee antivirus quarantine files, etc.

VBA Macro analysis: Beware of the Shift Key!

Many malware analysts like to use the VB Editor in MS Word or Excel to analyze malicious macros, because it provides a nice debugging environment. It is a convenient solution to run VBA code in its native context, in order to unmask heavily obfuscated macros.

oletools - python tools to analyze OLE and MS Office files

python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on my olefile parser. 

Using VBA Emulation to Analyze Obfuscated Macros

ViperMonkey is an experimental toolkit that I have been developing since early 2015, to parse VBA macros and emulate their execution. This articles shows how it can be used to analyze obfuscated macros and extract hidden strings/IOCs.

Malware Search

This custom Google search engine helps you find malware samples containing specific strings, filenames, hashes or other IOCs. It uses the data indexed by several websites including malwr.com, hybrid-analysis.com, virustotal.com and virusshare.com.

For example, search "VB_Nam" to find malicious VBA macros, or "\objdata" to find RTF files with OLE Package objects.

Syndicate content