Articles et outils à propos de Python, Sécurité Informatique, etc.

Articles et présentations à propos de Sécurité Informatique

Voici une liste de tous les articles et présentations que j'ai publiés jusqu'ici dans le domaine de la sécurité informatique.

Tools to extract VBA Macro source code from MS Office Documents

This article presents several tools that can be used to extract VBA Macros source code from MS Office Documents, for malware analysis and forensics. It also provides an overview of how VBA Macros are stored.

VBA Macro analysis: Beware of the Shift Key!

Many malware analysts like to use the VB Editor in MS Word or Excel to analyze malicious macros, because it provides a nice debugging environment. It is a convenient solution to run VBA code in its native context, in order to unmask heavily obfuscated macros.

Using VBA Emulation to Analyze Obfuscated Macros

ViperMonkey is an experimental toolkit that I have been developing since early 2015, to parse VBA macros and emulate their execution. This articles shows how it can be used to analyze obfuscated macros and extract hidden strings/IOCs.

Malware Search

This custom Google search engine helps you find malware samples containing specific strings, filenames, hashes or other IOCs. It uses the data indexed by several websites including malwr.com, hybrid-analysis.com, virustotal.com and virusshare.com.

For example, search "VB_Nam" to find malicious VBA macros, or "\objdata" to find RTF files with OLE Package objects.

How to detect most malicious macros without an antivirus

mraptor is a simple tool designed to detect malicious VBA macros in MS Office files, based on characteristics of the VBA code. This article explains how it works, and how it can be used in practice.

Anti-Analysis Tricks in Weaponized RTF

This article describes several anti-analysis tricks found in recent malicious RTF documents, and how I improved rtfobj to handle them.

8KB of malware crammed into a single command line in a macro

A few days ago, @Bry_Campbell told me about a strange sample with a malicious macro, that could not be fully analyzed with online sandboxes and the usual tools.

How to grill Malicious Macros - SSTIC15

Since 2014, malicious macros are coming back. And their success in recent campaigns demonstrates that it is still an effective way to deliver malware, sixteen years after Melissa.

This is a presentation that I gave to the SSTIC symposium in June 2015, translated to English. It explains what malicious macros can do, how their code can be obfuscated, and some of the anti-analysis tricks observed in recent cases. Then it shows several tools that can be used to analyze macros, including oledump and olevba.

Tip: how to find malware samples containing specific strings

It is sometimes useful to look for malware samples containing a specific string. For example, you might look for samples sharing similar code to analyze a malware campaign with different targets. Another use case is discovering the original version of a modified file, as described in my article "Unmasking Malfunctioning Malicious Documents".

Syndiquer le contenu