TwinWave observed maldocs utilizing Lolbas Findstr 'Failed Search' webdav download method. Sample: bazaar.abuse.ch/sample/ed028d9…

PDF Polyglot Files 🥸

Legitimate PDF files that launch maldocs when opened in MS Word 👀

We've created samples for you to test here: delivr.to/payloads?searc…

🧵

Being inspired by hasherezade, Michael Gillespie and MalwareTech vlogs, I decided to start my own. Today's lecture #Maldocs Analysis explains the techniques for malicious DOCX and XLSX files analysis.
#malwareanalysis #nioguard #engensec #spearphihsing
youtu.be/7MnHoBGeoWA

🚨 I've put together my first #cheat #sheet around #maldocs , you can download a PDF version from 👇

✅ thecyberyeti.com/quick-referenc…

Covers the tools, common commands, and other information you need to know when analyzing malicious documents, such as Word, OneNote and PDF.

Offensive Maldocs in 2020 (PDF)
github.com/FortyNorthSecu…

While I'm still writing the first article of MAS (Malware Analysis Series), which I'm late because heath issues in family and also I was assigned to two private tranings, I leave a simple article about maldocs:

exploitreversing.com/2021/11/02/mal…

(PDF): exploitreversing.files.wordpress.com/2021/11/mda_1-…

#malware

Blog post: “Extracting userform field values from VBA maldocs” nvdp01.github.io/analysis/2022/…

#Ransomware #LockBit It spreads through maldocs attacking organizations in South Korea. The distribution of documents began this morning. A multistage payload is being used. Dmitry Bestuzhev BlackBerry Cybersecurity #cti 🧵

Updating grammar is scary... but sometimes inevitable

New technique used in #xlm #maldocs that breaks #xlm deobfuscator: multiple macros in one cell

=f1=f2=f3

#xlm deobfuscator grammar assumes only one formula

Fixed in handle_multi_statement branch, still needs more testing

#APT maldocs targeting Russia: (They could be related to #CloudAtlas #APT )

1) Email:
Дипломатическая академия МИД России, журнал «Дипломатическая служба и практика» (Diplomatic Academy of the Ministry of Foreign Affairs of Russia, Diplomatic Service and Practice magazine)
(1/3)

#Ransomware #LockBit It spreads through maldocs. Distribution began this morning. (12.12) Organizations in South Korea are also targeted.

f64b643de2bc7c368b0a13d12c584a09
03cea7c49abe78863ae2644ac77c8efb < 2st
df7a9a45a10c1942225eb9be257fb752 < LockBit
Dmitry Bestuzhev #cti 🧵

Some #Gamaredon #APT maldocs:

0f5a6455191ffce67e0463af46df08e0
560a35503324936f6b638cf62e517a8e
ПРОТОКОЛ № 1 от 02.09.2022 расп. 146 от 02.09.22.doc

eef936dcc99ea3e4684061e6aa4e4715
Госкомзем.doc

7689d5ad4df5bf830e4e5ee9645e0a24
Госкомзем.doc

Deobfuscating the Latest Maldocs - kahusecurity.com/?p=13733

Simple YARA Rules for Office Maldocs i5c.us/d28062

#Ransomware #LockBit It spreads through maldocs. Distribution began this morning. (01.06) Organizations in South Korea are also targeted. 2831b37cf521848142e8a5d69515b065 9a1cac28f716d2e660f2bd6297cd560b < 2st a27b6bfb8e6aef454395cbab2bdf7cd1 < LockBit

Dmitry Bestuzhev
#cti 🧵

🚨 Phishing PDF File Evaded All the AV Solutions 🚨

📌 VT Detection: 1 / 63

📁 Filename: EFT-Payment.pdf
🔐 MD5: 12d4c4978092229073cf4d4d57729f2e
🕵️‍♂️ IOCs:
- https[:]//bafkreig6e4hmlnuktybscumout2n4ntbka34db5vtscvx5tknmzs3h5bsu.ipfs.cf-ipfs.com/

DOCGuard Report:…

Few maldocs are easy to analyze, so don't waste time! I've delivered private English classes since 2017 about maldocs (not easy ones), malware analysis, IR, iOS/Android reversing and so on, and maybe I deliver a public one on maldocs in the second semester. Let's see.

#malware

YARA Rule for OOXML Maldocs: Less False Positives i5c.us/d28066

Christmas-themed malspam campaign pushes Emotet. Maldocs include obfuscated VBA and PS. picussecurity.com/blog/the-chris… Thanks to ANY.RUN for samples.MalwareHunterTeam JAMESWT James @dvk01uk ExecuteMalware Malware Breakdown Joe Roosen hazmalware Malwrologist 🆁🅴🅶🅶🅸🅴

While I'm away due to research tasks and heavily busy writing articles and a book...

Remember: don't waste time with trivial maldocs...

#maldocs