Forensic Blogs

An aggregator for digital forensics blogs

by

Quickpost: Maldocs: VBA And Pastebin

Since a day or two I’m seeing yet another trick used by malware authors in their VBA macros.

The sample I’m looking at is 26B857A0A57B89166584CBB7167CAA19.

The VBA macro downloads base64 encoded scripts from Pastebin:

20150408-220943

20150408-221046

The scripts are delimited by HTML-like tags like . Tags that start with stext are scripts for Windows XP systems, and tags that start with text are for Windows Vista and later. This difference is for Powershell: on XP, VBS scripts are executed, and on more recent systems, Powershell scripts are executed.

The URL of the payload comes from another Pastebin entry:

20150408-221533

Correct: that trojan is hosted on Dropbox.

Quickpost info


by

pdf-parser And YARA

I’m teaching a PDF class at HITB Amsterdam in May. This is one of the many subjects covered in the class.

For about half a year now, I’ve been adding YARA support to several of my analysis tools. Like pdf-parser.

I’ll write some blogposts covering each tool with YARA support. I’ll start with a video for pdf-parser: