Didier Stevens Diaries

Back to Handlers

• Increase In Phishing SVG Attachments
• PDF Object Streams
• zipdump & PKZIP Records
• zipdump & Evasive ZIP Concatenation
• SANS Holiday Hack Challenge 2024
• Analyzing an Encrypted Phishing PDF
• qpdf: Extracting PDF Streams
• Wireshark 4.4.1 Released
• YARA-X's Dump Command
• YARA 4.5.2 Release
• Wireshark 4.4's IP Address Functions
• Password Cracking & Energy: More Dedails
• Python & Notepad++
• Protected OOXML Text Documents
• Wireshark 4.4: Converting Display Filters to BPF Capture Filters
• Wireshark 4.4.0 is now available
• Wireshark 4.4.0rc1's Custom Columns
• OOXML Spreadsheets Protected By Verifier Hashes
• CrowdStrike Outage Themed Maldoc
• Quickie: Password Cracking & Energy
• Create Your Own BSOD: NotMyFault
• Protected OOXML Spreadsheets
• Wireshark 4.2.6 Released
• 16-bit Hash Collisions in .xls Spreadsheets
• Sysinternals' Process Monitor Version 4 Released
• Handling BOM MIME Files
• Overview of My Tools That Handle JSON Data
• A Wireshark Lua Dissector for Fixed Field Length Protocols
• YARA 4.5.1 Release
• csvkit
• Analyzing MSG Files
• Wireshark 4.2.5 Released
• Another PDF Streams Example: Extracting JPEGs
• DNS Suffixes on Windows
• Analyzing PDF Streams
• nslookup's Debug Options
• Checking CSV Files
• Wireshark 4.2.4 Released
• 1768.py's Experimental Mode
• Obfuscated Hexadecimal Payload
• Update: MGLNDD_* Scans
• YARA 4.5.0 Release
• Wireshark 4.2.3 Released
• IPv4-mapped IPv6 Address Used For Obfuscation
• Cobalt Strike's "Runtime Configuration"
• OVA Files
• Wireshark 4.2.0 Released
• Quick Tip For Artificially Inflated PE Files
• base64dump.py Handles More Encodings Than Just BASE64
• ZIP's DOSTIME & DOSDATE Formats
• Wireshark 4.2.0 First Release Candidate
• Binary IPv6 Addresses
• Friendly Reminder: ZIP Metadata is Not Encrypted
• Analyzing MIME Files: a Quick Tip
• IPv4 Addresses in Little Endian Decimal Format
• YARA Support for .LNK Files
• Quickie: Generating a YARA Rule to Detect Obfuscated Strings
• Creating a YARA Rule to Detect Obfuscated Strings
• Analysis of a Defective Phishing PDF
• Analysis of RAR Exploit Files (CVE-2023-38831)
• PDFiD: False Positives Revisited
• YARA Error Codes
• Brute-Force ZIP Password Cracking with zipdump.py: FP Fix
• Wireshark 4.0.7 Released
• Analysis Method for Custom Encoding
• Brute-Force ZIP Password Cracking with zipdump.py
• Deobfuscating a VBS Script With Custom Encoding
• Analyzing Office Documents Embedded Inside PPT (PowerPoint) Files
• Wireshark 4.0.6 Released
• Another Malicious HTA File Analysis - Part 3
• Quickly Finding Encoded Payloads in Office Documents
• VBA Project References
• Deobfuscating Scripts: When Encodings Help
• Wireshark 4.0.5 Released
• YARA v4.3.1 Release
• Another Malicious HTA File Analysis - Part 2
• Chrome's Download Tab: Dangerous Files
• Update: oledump & MSI Files
• YARA v4.3.0 Release
• Extracting Multiple Streams From OLE Files
• Another Malicious HTA File Analysis - Part 1
• Extra: "String Obfuscation: Character Pair Reversal"
• CyberChef Version 10 Released
• Windows 11 Snipping Tool Privacy Bug: Inspecting PNG Files
• String Obfuscation: Character Pair Reversal
• YARA: Detect The Unexpected ...
• oledump & MSI Files
• Crypto Inside a Browser
• OneNote Suricata Rules
• "Unsupported 16-bit Application" or HTML?
• Video: Analyzing Malicious OneNote Documents
• Sysinternals Updates: RDCMan v2.92, Sysmon v14.14, and ZoomIt v6.12
• Detecting (Malicious) OneNote Files
• Wireshark 4.0.3 Released
• YARA v4.3.0-rc1 --skip-larger
• YARA v4.3.0-rc1 --print-xor-key
• CyberChef & Entropy
• Quickie: CyberChef Sorting By String Length
• Open Now: 2022 SANS Holiday Hack Challenge & KringleCon
• VLC's Check For Updates: No Updates?
• Finger.exe LOLBin
• Extracting Information From "logfmt" Files With CyberChef
• Update: IPv4 Address Representations
• IPv4 Address Representations
• Sysinternals Updates: Process Explorer v17.0, Handle v5.0, Process Monitor v3.92 and Sysmon v14.11
• Quickie: CyberChef & Microsoft Script Decoding
• Video: PNG Analysis
• rtfdump's Find Option
• Video: Analysis of a Malicious HTML File (QBot)
• Analysis of a Malicious HTML File (QBot)
• Wireshark: Specifying a Protocol Stack Layer in Display Filters
• Curl's resolve Option
• Wireshark 4.0.0 Released
• Sysmon v14.1 Release
• PNG Analysis
• Downloading Samples From Takendown Domains
• Maldoc Analysis Info On MalwareBazaar
• Video: Grep & Tail -f With Notepad++
• Video: Analyzing Obfuscated VBS with CyberChef
• Word Maldoc With CustomXML and Renamed VBAProject.bin
• Wireshark 3.6.8 and 4.0.0rc1 Released
• Maldoc With Decoy BASE64
• Analyzing Obfuscated VBS with CyberChef
• Analysis of an Encoded Cobalt Strike Beacon
• Quickie: Grep & Tail -f With Notepad++
• Video: VBA Maldoc & UTF7 (APT-C-35)
• Video: James Webb JPEG With Malware
• James Webb JPEG With Malware
• Update: VBA Maldoc & UTF7 (APT-C-35)
• Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons
• Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01
• YARA 4.2.3 Released
• VBA Maldoc & UTF7 (APT-C-35)
• Wireshark 3.6.7 Released
• Video: Maldoc: non-ASCII VBA Identifiers
• Maldoc: non-ASCII VBA Identifiers
• Adding Your Own Keywords To My PDF Tools
• Python: Files In Use By Another Process
• 7-Zip Editing & MoW
• 7-Zip & MoW: "For Office files"
• 7-Zip & MoW
• YARA 4.2.2 Released
• My Paste Command
• More Decoding Analysis
• Video: Decoding Obfuscated BASE64 Statistically
• Wireshark 3.6.6 Released
• Decoding Obfuscated BASE64 Statistically
• Quickie: Follina, RTF & Explorer Preview Pane
• "ms-msdt" RTF Maldoc Analysis: oledump Plugins
• Analysis Of An "ms-msdt" RTF Maldoc
• Extracting The Overlay Of A PE File
• Huge Signed PE File: Keeping The Signature
• Huge Signed PE File
• Wireshark 3.6.5 Released
• Quick Analysis Of Phishing MSG
• Detecting VSTO Office Files With ExifTool
• YARA 4.2.1 Released
• Analyzing a Phishing Word Document
• Sysmon's RegistryEvent (Value Set)
• Video: Office Protects You From Malicious ISO Files
• Office Protects You From Malicious ISO Files
• Video: Method For String Extraction Filtering
• Method For String Extraction Filtering
• jo
• curl 7.82.0 Adds --json Option
• Quickie: Parsing XLSB Documents
• Video: Maldoc Cleaned by Anti-Virus
• Wireshark 3.6.3 Released
• Maldoc Cleaned by Anti-Virus
• MGLNDD_* Scans
• SolarWinds Advisory: Unauthenticated Access in Web Help Desk (12.7.5)
• Curl on Windows
• YARA 4.2.0 Released
• ICMP Messages: Original Datagram Field
• Video: TShark & Multiple IP Addresses
• oledump's Extra Option
• TShark & Multiple IP Addresses
• Video: Quick & Dirty Shellcode Analysis - CVE-2017-11882
• Windows, Fixed IPv4 Addresses and APIPA
• Sending an Email to an IPv4 Address?
• Video: YARA's Console Module
• Wireshark 3.6.2 Released
• Power over Ethernet and Thermal Imaging
• YARA's Console Module
• Extracting Cobalt Strike Beacons from MSBuild Scripts
• TShark & jq
• Expect Regressions
• Quicktip: TShark's Options -e and -T
• TShark Tip: Extracting Field Values From Capture Files
• Office 2021: VBA Project Version
• Wireshark 3.6.0 Released
• Video: YARA Rules for Office Maldocs
• Video: SANS Holiday Hack Challenge 2021 Q&A with Ed Skoudis
• YARA's Private Strings
• YARA Rule for OOXML Maldocs: Less False Positives
• Simple YARA Rules for Office Maldocs
• Backdooring PAM
• External Email System FBI Compromised: Sending Out Fake Warnings
• Video: Obfuscated Maldoc: Reversed BASE64
• Obfuscated Maldoc: Reversed BASE64
• Video: Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
• Decrypting Cobalt Strike Traffic With Keys Extracted From Process Memory
• Video: Phishing ZIP With Malformed Filename
• Sysinternals: Autoruns and Sysmon updates
• Decrypting Cobalt Strike Traffic With a "Leaked" Private Key
• Phishing ZIP With Malformed Filename
• Reader Malware: ZIP/HTML Phish
• YARA Release v4.1.3
• Wireshark 3.4.9 Released
• Video: CVE-2021-40444 Maldocs: Extracting URLs
• Video: Strings Analysis: VBA & Excel4 Maldoc
• Strings Analysis: VBA & Excel4 Maldoc
• An XML-Obfuscated Office Document (CVE-2021-40444)
• Video: Simple Analysis Of A CVE-2021-40444 .docx Document
• Simple Analysis Of A CVE-2021-40444 .docx Document
• .docx With Embedded EXE
• New Versions Of Sysinternals Tools
• Extra Tip For Triage Of MALWARE Bazaar's Daily Malware Batches
• Simple Tips For Triage Of MALWARE Bazaar's Daily Malware Batches
• MALWARE Bazaar "Download daily malware batches"
• Changing BAT Files On The Fly
• procdump Version 10.1
• Failed Malspam: Recovering The Password
• Wireshark 3.4.7 Released
• Video: CyberChef BASE85 Decoding
• BASE85 Decoding With base64dump.py
• DIY CD/DVD Destruction - Follow Up
• Finding Strings With oledump.py
• CFBF Files Strings Analysis
• DIY CD/DVD Destruction
• Video: oledump Cheat Sheet
• Video: Cobalt Strike & DNS - Part 1
• Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update
• YARA Release v4.1.1
• Video: Making Sense Of Encrypted Cobalt Strike Traffic
• PuTTY And FileZilla Use The Same Fingerprint Registry Keys
• YARA Release v4.1.0
• CAD: .DGN and .MVBA Files
• Sysinternals: Procmon and Sysmon update
• Wireshark 3.4.5 Released
• Decoding Cobalt Strike Traffic
• Example of Cleartext Cobalt Strike Traffic (Thanks Brad)
• YARA and CyberChef: ZIP
• Video: YARA and CyberChef
• TCPView v4.0 Released
• Nim Strings
• Video: Finding Metasploit & Cobalt Strike URLs
• YARA Pre-release v4.1.0
• Finding Metasploit & Cobalt Strike URLs
• Wireshark 3.4.4 Released
• YARA and CyberChef
• PCAPs and Beacons
• Maldocs: Protection Passwords
• Unprotecting Malicious Documents For Inspection
• DDE and oledump
• Quickie: Extracting HTTP URLs With tshark
• Video: tshark & Malware Analysis
• Quickie: tshark & Malware Analysis
• YARA v4.0.5
• Wireshark 3.4.3 Released
• YARA v4.0.4
• Video: Doc & RTF Malicious Document
• CyberChef: Analyzing OOXML Files for URLs
• Doc & RTF Malicious Document
• New Release of Sysmon Adding Detection for Process Tampering
• Maldoc Analysis With CyberChef
• Maldoc Strings Analysis
• Strings 2021
• Quickie: Bit Shifting With translate.py
• base64dump.py Supported Encodings
• Quickie: String Analysis & Maldocs
• Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working
• Wireshark 3.4.2 Released
• Analyzing FireEye Maldocs
• KringleCon 2020
• Wireshark 3.4.1 Released
• Office 95 Excel 4 Macros
• Corrupt BASE64 Strings: Detection and Decoding
• oledump's Indicators (video)
• Decrypting PowerShell Payloads (video)
• Quick Tip: Using JARM With a SOCKS Proxy
• Quick Tip: Cobalt Strike Beacon Analysis
• Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format
• oledump's ! Indicator
• Quick Tip: Extracting all VBA Code from a Maldoc
• AV Cleaned Maldoc
• Wireshark 3.2.8 and 3.4.0 Released
• More File Selection Gaffes
• Excel 4 Macros: "Abnormal Sheet Visibility"
• Video: Pascal Strings
• File Selection Gaffe
• Nested .MSGs: Turtles All The Way Down
• Analyzing MSG Files With plugin_msg_summary
• Open Packaging Conventions
• Obfuscation and Repetition
• Nmap 7.90 Released
• Decoding Corrupt BASE64 Strings
• Wireshark 3.2.7 Released
• Office Documents with Embedded Objects
• Office: About OLE and ZIP Files
• Finding The Original Maldoc
• Malicious Excel Sheet with a NULL VT Score: More Info
• Small Challenge: A Simple Word Maldoc - Part 4
• Small Challenge: A Simple Word Maldoc - Part 3
• Wireshark 3.2.6 Released
• Small Challenge: A Simple Word Maldoc - Part 2
• Small Challenge: A Simple Word Maldoc
• Analyzing Metasploit ASP .NET Payloads
• Cracking Maldoc VBA Project Passwords
• ndisasm Update 2.15
• Zone.Identifier: A Couple Of Observations
• VBA Project Passwords
• Maldoc: VBA Purging Example
• CVE-2020-5902: F5 BIG-IP RCE Vulnerability
• CVE-2020-5902 F5 BIG-IP Exploitation Attempt
• Wireshark 3.2.5 Released
• Sysmon and Alternate Data Streams
• Video: YARA's BASE64 Strings
• Comparing Office Documents with WinMerge
• ISC Handler Series: SANS@MIC - Maldocs: a bit of blue, a bit of red
• YARA's BASE64 Strings
• Translating BASE64 Obfuscated Scripts
• XLMMacroDeobfuscator: An Update
• YARA v4.0.1
• Zloader Maldoc Analysis With xlm-deobfuscator
• Wireshark 3.2.4 Released
• Some Strings to Remember
• Antivirus & Multiple Detections
• Excel 4 Macro Analysis: XLMMacroDeobfuscator
• YARA v4.0.0: BASE64 Strings
• Sysmon and File Deletion
• ZIP & AES
• Video: Malformed .docm File
• MALWARE Bazaar
• KPOT AutoIt Script: Analysis
• KPOT Analysis: Obtaining the Decrypted KPOT EXE
• Reader Analysis: "Dynamic analysis technique to get decrypted KPOT Malware."
• Wireshark 3.2.3 Released: Mac Users Pay Attention Please
• Password Protected Malicious Excel Files
• New Bypass Technique or Corrupt Word Document?
• Obfuscated Excel 4 Macros
• Covid19 Domain Classifier
• Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability
• KPOT Deployed via AutoIt Script
• More COVID-19 Themed Malware
• Phishing PDF With Incremental Updates.
• Malicious Spreadsheet With Data Connection and Excel 4 Macros
• Excel Maldocs: Hidden Sheets
• Wireshark 3.2.2 Released: Windows' Users Pay Attention Please
• Maldoc: Excel 4 Macros and VBA, Devil and Angel?
• Maldoc: Excel 4 Macros in OOXML Format
• curl and SSPI
• bsdtar on Windows 10
• Video: Stego & Cryptominers
• Wireshark 3.2.1 Released
• Citrix ADC Exploits: Overview of Observed Payloads
• etl2pcapng: Convert .etl Capture Files To .pcapng Format
• KringleCon 2019
• "Nim httpclient/1.0.4"
• Corrupt Office Documents
• New oledump.py plugin: plugin_version_vba
• Extracting VBA Macros From .DWG Files
• Wireshark 3.2.0 Released
• Malicious .DWG Files?
• VirusTotal Email Submissions
• (Lazy) Sunday Maldoc Analysis: A Bit More ...
• (Lazy) Sunday Maldoc Analysis
• Wireshark 3.0.7 Released
• You Too? "Unusual Activity with Double Base64 Encoding"
• Remark on EML Attachments
• Tip: Password Managers and 2FA
• Using scdbg to Find Shellcode
• Wireshark 3.0.6 Released
• YARA's XOR Modifier
• YARA v3.11.0 released
• Maldoc, PowerShell & BITS
• Encrypted Maldoc, Wrong Password
• YARA XOR Strings: an Update
• Video: Encrypted Sextortion PDFs
• Wireshark 3.0.5 Release: Potential Windows Crash when Updating
• Encrypted Sextortion PDFs
• Compressed ISO Files (ISZ)
• Video: Analyzing DAA Files
• The DAA File Format
• Analysis of a Spearphishing Maldoc
• Malicious .DAA Attachments
• Nmap Defcon Release: 7.80
• Detecting ZLIB Compression
• Recognizing ZLIB Compression
• Video: Analyzing Compressed PowerShell Scripts
• A Python TCP proxy
• Analyzing Compressed PowerShell Scripts
• Malicious RTF Analysis CVE-2017-11882 by a Reader
• isodump.py and Malicious ISO Files
• Machine Code? No!
• Malicious XSL Files
• Machine Code?
• A "Stream O" Maldoc
• Maldoc: Payloads in User Forms
• Sysmon Version 10: DNS Logging
• Tip: Sysmon Will Log DNS Queries
• Tip: BASE64 Encoded PowerShell Scripts are Recognizable by the Amount of Letter As
• Retrieving Second Stage Payload with Ncat
• Analyzing First Stage Shellcode
• Office Document & BASE64? PowerShell!
• nmap Service Fingerprint
• Video: nmap Service Detection Customization
• Do You Remember the SUBST Command?
• Text and Text
• VBA Office Document: Which Version?
• Quick Tip for Dissecting CVE-2017-11882 Exploits
• Malicious VBA Office Document Without Source Code
• .rar Files and ACE Exploit CVE-2018-20250
• Analyzing UDF Files with Python
• Analysis of PDFs Created with OpenOffice/LibreOffice
• Maldoc Analysis of the Weekend by a Reader
• "404" is not Malware
• "VelvetSweatshop" Maldocs: Shellcode Analysis
• Decoding QR Codes with Python
• "VelvetSweatshop" Maldocs
• Wireshark 3.0.0 and Npcap: Some Remarks
• Video: Maldoc Analysis: Excel 4.0 Macro
• Maldoc: Excel 4.0 Macros
• Tip: Ghidra & ZIP Files
• Wireshark 3.0.0 and Npcap
• Quick and Dirty Malicious HTA Analysis
• Malicious HTA Analysis by a Reader
• Maldoc Analysis by a Reader
• Sextortion Email Variant: With QR Code
• Identifying Files: Failure Happens
• Know What You Are Logging
• Video: Finding Property Values in Office Documents
• Finding Property Values in Office Documents
• Have You Seen an Email Virus Recently?
• Video: Maldoc Analysis of the Weekend
• Maldoc Analysis of the Weekend
• Video: Analyzing a Simple HTML Phishing Attachment
• Video: Analyzing Encrypted Malicious Office Documents
• Suspicious GET Request: Do You Know What This Is?
• Quick Maldoc Analysis
• Analyzing Encrypted Malicious Office Documents
• Malicious .tar Attachments
• A Malicious JPEG? Second Example
• A Malicious JPEG?
• Maldoc with Nonfunctional Shellcode
• Make a Wheel in 2019!
• Software Crashes: A New Year's Resolution
• Video: De-DOSfuscation Example
• Matryoshka Phish
• Bitcoin "Blocklists"
• KringleCon 2018
• Password Protected ZIP with Maldoc
• De-DOSfuscation Example
• Yet Another DOSfuscation Sample
• Quickie: String Analysis is Still Useful
• Reader Malware Submission: MHT File Inside a ZIP File
• Word maldoc: yet another place to hide a command
• Video: Dissecting a CVE-2017-11882 Exploit
• Wireshark update 2.6.5 available
• Video: CyberChef: BASE64/XOR Recipe
• Dissecting a CVE-2017-11882 Exploit
• TriJklcj2HIUCheDES decryption failed?
• Windows Defender's Sandbox
• Maldoc Duplicating PowerShell Prior to Use
• Detecting Compressed RTF
• MSG Files: Compressed RTF
• CyberChef: BASE64/XOR Recipe
• Maldoc: Once More It's XOR
• YARA XOR Strings: Some Remarks
• YARA: XOR Strings
• Developing YARA Rules: a Practical Example
• Decoding Custom Substitution Encodings with translate.py
• When DOSfuscation Helps...
• Analyzing Encoded Shellcode with scdbg
• Suspicious DNS Requests ... Issued by a Firewall
• 20/20 malware vision
• User Agent String "$ua.tools.random()" ? :-) !
• "What is dikona or glirote3?"
• Video: Using scdbg to analyze shellcode
• Another quickie: Using scdbg to analyze shellcode
• "When was this machine infected?"
• Identifying numeric obfuscation
• Microsoft Publisher malware: static analysis
• OpenSSH user enumeration (CVE-2018-15473)
• Video: Peeking into msg files - revisited
• New Extortion Tricks: Now Including Your (Partial) Phone Number!
• A URL shortener handy for phishers
• Peeking into msg files - revisited
• Numeric obfuscation: another example
• Video: Maldoc analysis with standard Linux tools
• Dealing with numeric obfuscation in malicious scripts
• Malicious Word documents using DOSfuscation
• Analyzing MSG files
• Maldoc analysis with standard Linux tools
• BTC pickpockets are back
• Extracting BTC addresses from emails
• Video: Retrieving and processing JSON data (BTC example)
• Retrieving and processing JSON data (BTC example)
• dd progress indicator on OSX
• dd progress indicator on Linux
• XPS Metadata
• Progress indication for scripts on Windows
• Video: Analyzing XPS Files
• XPS samples
• Analyzing XPS files
• Guilty by association
• Encrypted Office Documents
• Quick analysis of malware created with NSIS
• DASAN GPON home routers exploits in-the-wild
• New IE 0-day in the wild
• A malicious word document with a VBA form - video
• A malicious word document with a VBA form
• Metasploit's Payload UUID
• Phishing PDFs with multiple links - Detection
• Phishing PDFs with multiple links - Animated GIF
• Phishing PDFs with multiple links
• "Error 19874: You must have Office Professional Edition to read this content, please upgrade your licence."
• Wireshark and USB
• Retrieving malware over Tor on Windows
• Analyzing MSI files
• Finding VBA signatures in .docm files
• Analyzing compressed shellcode
• Finding VBA signatures in Word documents
• An autograph from the Dridex gang
• Analyzing an HTA file: Update
• Analyzing an HTA file
• Comment your Packet Captures - Extra!
• Is this a pentest?
• HTTPS on every port?
• Retrieving malware over Tor
• An RTF phish
• Decrypting malicious PDFs with the key
• Peeking into Excel files
• PDF documents & URLs: video
• What is new?
• Analyzing TNEF files
• Dealing with obfuscated RTF files
• PDF documents & URLs: update
• Encrypted PDFs
• Phish or scam? - Part 2
• Phish or scam? - Part 1
• Sometimes it's a dud
• BTC Pickpockets
• Metasploit's Maldoc
• Extracting the text from PDF documents
• PDF documents & URLs
• PE files and debug info
• Remember ACE files?
• It's in the signature.
• Peeking into .msg files
• A strange JPEG file
• It is a resume - Part 3
• Analyzing JPEG files
• Malware analysis output sanitization
• It is a resume - Part 2
• It is a resume - Part 1
• Malware analysis: searching for dots
• It's Not An Invoice ...
• Sometimes it's just SPAM
• The Good Phishing Email
• Maldoc Analysis with ViperMonkey
• Maldoc Submitted and Analyzed
• Static Analysis of Emotet Maldoc
• Another .lnk File
• Malicious .iso Attachments
• Office maldoc + .lnk
• Basic Office maldoc analysis
• Selecting domains with random names
• PE Section Name Descriptions
• Malware and XOR - Part 2
• Malware and XOR - Part 1
• Malicious Documents: A Bit Of News
• Password History: Insights Shared by a Reader
• Domain Whitelisting With Alexa and Umbrella Lists - update
• Domain Whitelisting With Alexa and Umbrella Lists
• Another example of maldoc string obfuscation, with extra bonus: UAC bypass
• CRA Maldoc Analysis
• py2exe Decompiling - Part 2
• py2exe Decompiling - Part 1
• Pinging All The Way
• Sleeping VBS Really Wants To Sleep
• Hancitor Maldoc Videos
• Extracting Shellcode From JavaScript
• Update:ZIP With Comment
• ZIP With Comment
• VBA Shellcode and Windows 10
• VBA Shellcode and EMET
• Hancitor Maldoc Bypasses Application Whitelisting
• Maldoc VBA Anti-Analysis: Video
• Analyzing Office Maldocs With Decoder.xls
• Maldoc VBA Anti-Analysis
• Radare2: rahash2
• VBA and P-code
• .PUB Analysis
• rtfdump
• rtfobj
• Malicious RTF Files
• Python Malware - Part 4
• Practice ntds.dit File
• Office Maldoc: Let's Focus on the VBA Macros Later...
• Python Malware - Part 3
• Python Malware - Part 2
• Python Malware - Part 1
• VBS + VBE
• Handling Malware Samples
• VBE: Encoded VBS Script
• Tip: Quick Analysis of Office Maldoc
• Locky: JavaScript Deobfuscation
• Obfuscated MIME Files
• Sigcheck and VirusTotal for Offline Machine
• BlackEnergy .XLS Dropper
• A Tip For The Analysis Of MIME Files
• Failure Is An Option
• Malfunctioning Malware
• Use The Privilege
• Maldoc Social Engineering Trick
• Ransomware & Entropy: Your Turn -> Solution
• Ransomware & Entropy: Your Turn
• Ransomware & Entropy
• Don't launch that file Adobe Reader!
• Test File: PDF With Embedded DOC Dropping EICAR
• PDF + maldoc1 = maldoc2
• Sigcheck and virustotal-search
• Searching Through the VirusTotal Database
• Sigcheck and VirusTotal
• Autoruns and VirusTotal
• Process Explorer and VirusTotal
• Jump List Files Are OLE Files
• Working with base64
• A .BUP File Is An OLE File
• Analyzing Quarantine Files
• The EICAR Test File
• Another Maldoc? I'm Afraid So...
• Wireshark TCP Flags: How To Install On Windows Video
• Malicious Word Document: This Time The Maldoc Is A MIME File
• A Malicious Word Document Inside a PDF Document
• Handling Special PDF Compression Methods
• Memory Forensics Of Network Devices
• The Kill Chain: Now With Pastebin
• Wireshark TCP Flags
• VMware Product Updates Address Critical Information Disclosure Issue In JRE
• SSH Fingerprints Are Important
• YARA Rules For Shellcode
• Malicious XML: Matryoshka Edition
• From PEiD To YARA
• Maldoc VBA Sandbox/Virtualization Detection
• XML: A New Vector For An Old Trick