Forensic Blogs

An aggregator for digital forensics blogs

by

Tampering With Digitally Signed VBA Projects

As I explained in blog post VBA Purging, VBA code contained in Module Streams is made up of compiled code (PerformanceCache) and source code (CompressedSourceCode).

If you alter the compiled code (PerformanceCache) properly and leave the source code (CompressedSourceCode) of a signed VBA project untouched, you can change the behavior of a signed document without invalidating the signature. That’s because the code signing algorithm for VBA projects does not take the PerformanceCache into account.

Details in my NVISO blog post: Tampering with Digitally Signed VBA Projects

 

by

Update: base64dump.py Version 0.0.12

This new version of base64dump.py adds the following new features:

encoding zxc (0x4D,0x5A,0x90,…) update for YARA rules update for –cut option option -A: run-length encoded HEX/ASCII dump warning when no encoding was selected environment variable to set hash algorithm (DSS_DEFAULT_HASH_ALGORITHMS) option –jsonoutput option -T: headtail option -p: process encodings Python 3 support

base64dump_V0_0_12.zip (https)
MD5: 834B0D2DB5915ECE1C2F016B9E8462D1
SHA256: 952A5009C945AF350DB0875E8F025E3B5D271FB54AC60BE7569CFBD949DD7B77

by

Overview of Content Published in June

Here is an overview of content I published in June:

Blog posts:

add-admin: Tiny EXE To Add Administrative Account Update: translate.py Version 2.5.8 FalsePositive GitHub Repository VBA Purging

YouTube videos:

YARA’s BASE64 Strings

Videoblog posts:

Maldoc Analysis With xlm-deobfuscator SANS@MIC – Maldocs: a bit of blue, a bit of red

SANS ISC Diary entries:

XLMMacroDeobfuscator: An Update Translating BASE64 Obfuscated Scripts YARA’s BASE64 Strings ISC Handler Series: SANS@MIC – Maldocs: a bit of blue, a bit of red Comparing Office Documents with WinMerge Video: YARA’s BASE64 Strings Sysmon and Alternate Data Streams

NVISO blog posts:

Tampering with Digitally Signed VBA Projects