Malware Analysis

Articles and tools related to Malware Analysis. (see http://en.wikipedia.org/wiki/Malware)

Tip: how to find malware samples containing specific strings

It is sometimes useful to look for malware samples containing a specific string. For example, you might look for samples sharing similar code to analyze a malware campaign with different targets. Another use case is discovering the original version of a modified file, as described in my article "Unmasking Malfunctioning Malicious Documents".

Unmasking Malfunctioning Malicious Documents

From time to time, people report strange malicious documents which are not successfully analyzed by malware analysis tools nor by sandboxes. Let's investigate. (this is a follow-up to the post "Malfunctioning Malware" by Didier Stevens)

olevba - a tool to extract VBA Macro source code from MS Office documents (OLE and OpenXML)

olevba is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), to detect VBA Macros, extract their source code in clear text, decode malware obfuscation (Hex/Base64/StrReverse/Dridex) and detect security-related patterns such as auto-executable macros, suspicious VBA keywords used by malware, and potential IOCs (IP addresses, URLs, executable filenames, etc). It is part of the python-oletools package.

Weaponized MS Office 97-2003 legacy/binary formats (doc, xls, ppt, ...)

This article describes the Microsoft Office 97-2003 legacy/binary file formats (doc, xls, ppt), related security issues and useful resources.

oletimes - a tool to extract creation and modification timestamps of all streams and storages in OLE files

oletimes is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract creation and modification times of all streams and storages in the OLE file. It is part of the python-oletools package.

olemeta - a tool to extract all standard properties (metadata) from OLE files such as MS Office

olemeta is a script to parse OLE files such as MS Office documents (e.g. Word, Excel), to extract all standard properties present in the OLE file. It is part of the python-oletools package.

File Scanning Frameworks for Malware Analysis and Incident Response

This article presents several new open source frameworks meant to simplify static file scanning for malware analysis and incident response: MASTIFF, Viper, IRMA and a few others. Their goal is to provide an extensible framework to integrate many existing scanning tools.

How to convert Signsrch/Clamsrch signatures to Yara

This article explains how I converted Signsrch signatures to Yara rules, in order to include them in my tool Balbuzard. Signsrch signatures are useful for malware analysis, to detect standard constants used in many encryption and compression algorithms, and also some anti-debugging code.

Balbuzard - malware analysis tools to extract patterns of interest and crack obfuscation such as XOR

Balbuzard is a package of malware analysis tools in python to extract patterns from suspicious files (IP addresses, domain names, known file headers, interesting strings, etc). It can also crack malware obfuscation such as XOR, ROL, etc by bruteforcing and checking for those patterns.

reScan - quick pattern matching in files for malware analysis

reScan is a very simple Python script to look for specific patterns (regular expressions) in binary or text files. It has been primarily developed to analyze malicious files, to quickly extract interesting patterns (shellcodes, embedded executables in malformed documents, etc). Update in 2014: it has now evolved into Balbuzard, which provides many more features.

Syndicate content