- Wireshark 3.4.7 Released
- Video: CyberChef BASE85 Decoding
- BASE85 Decoding With base64dump.py
- DIY CD/DVD Destruction - Follow Up
- Finding Strings With oledump.py
- CFBF Files Strings Analysis
- DIY CD/DVD Destruction
- Video: oledump Cheat Sheet
- Video: Cobalt Strike & DNS - Part 1
- Sysinternals: Procmon, Sysmon, TcpView and Process Explorer update
- YARA Release v4.1.1
- Video: Making Sense Of Encrypted Cobalt Strike Traffic
- PuTTY And FileZilla Use The Same Fingerprint Registry Keys
- YARA Release v4.1.0
- CAD: .DGN and .MVBA Files
- Sysinternals: Procmon and Sysmon update
- Wireshark 3.4.5 Released
- Decoding Cobalt Strike Traffic
- Example of Cleartext Cobalt Strike Traffic (Thanks Brad)
- YARA and CyberChef: ZIP
- Video: YARA and CyberChef
- TCPView v4.0 Released
- Nim Strings
- Video: Finding Metasploit & Cobalt Strike URLs
- YARA Pre-release v4.1.0
- Finding Metasploit & Cobalt Strike URLs
- Wireshark 3.4.4 Released
- YARA and CyberChef
- PCAPs and Beacons
- Maldocs: Protection Passwords
- Unprotecting Malicious Documents For Inspection
- DDE and oledump
- Quickie: Extracting HTTP URLs With tshark
- Video: tshark & Malware Analysis
- Quickie: tshark & Malware Analysis
- YARA v4.0.5
- Wireshark 3.4.3 Released
- YARA v4.0.4
- Video: Doc & RTF Malicious Document
- CyberChef: Analyzing OOXML Files for URLs
- Doc & RTF Malicious Document
- New Release of Sysmon Adding Detection for Process Tampering
- Maldoc Analysis With CyberChef
- Maldoc Strings Analysis
- Strings 2021
- Quickie: Bit Shifting With translate.py
- base64dump.py Supported Encodings
- Quickie: String Analysis & Maldocs
- Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working
- Wireshark 3.4.2 Released
- Analyzing FireEye Maldocs
- KringleCon 2020
- Wireshark 3.4.1 Released
- Office 95 Excel 4 Macros
- Corrupt BASE64 Strings: Detection and Decoding
- oledump's Indicators (video)
- Decrypting PowerShell Payloads (video)
- Quick Tip: Using JARM With a SOCKS Proxy
- Quick Tip: Cobalt Strike Beacon Analysis
- Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format
- oledump's ! Indicator
- Quick Tip: Extracting all VBA Code from a Maldoc
- AV Cleaned Maldoc
- Wireshark 3.2.8 and 3.4.0 Released
- More File Selection Gaffes
- Excel 4 Macros: "Abnormal Sheet Visibility"
- Video: Pascal Strings
- File Selection Gaffe
- Nested .MSGs: Turtles All The Way Down
- Analyzing MSG Files With plugin_msg_summary
- Open Packaging Conventions
- Obfuscation and Repetition
- Nmap 7.90 Released
- Decoding Corrupt BASE64 Strings
- Wireshark 3.2.7 Released
- Office Documents with Embedded Objects
- Office: About OLE and ZIP Files
- Finding The Original Maldoc
- Malicious Excel Sheet with a NULL VT Score: More Info
- Small Challenge: A Simple Word Maldoc - Part 4
- Small Challenge: A Simple Word Maldoc - Part 3
- Wireshark 3.2.6 Released
- Small Challenge: A Simple Word Maldoc - Part 2
- Small Challenge: A Simple Word Maldoc
- Analyzing Metasploit ASP .NET Payloads
- Cracking Maldoc VBA Project Passwords
- ndisasm Update 2.15
- Zone.Identifier: A Couple Of Observations
- VBA Project Passwords
- Maldoc: VBA Purging Example
- CVE-2020-5902: F5 BIG-IP RCE Vulnerability
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt
- Wireshark 3.2.5 Released
- Sysmon and Alternate Data Streams
- Video: YARA's BASE64 Strings
- Comparing Office Documents with WinMerge
- ISC Handler Series: SANS@MIC - Maldocs: a bit of blue, a bit of red
- YARA's BASE64 Strings
- Translating BASE64 Obfuscated Scripts
- XLMMacroDeobfuscator: An Update
- YARA v4.0.1
- Zloader Maldoc Analysis With xlm-deobfuscator
- Wireshark 3.2.4 Released
- Some Strings to Remember
- Antivirus & Multiple Detections
- Excel 4 Macro Analysis: XLMMacroDeobfuscator
- YARA v4.0.0: BASE64 Strings
- Sysmon and File Deletion
- ZIP & AES
- Video: Malformed .docm File
- MALWARE Bazaar
- KPOT AutoIt Script: Analysis
- KPOT Analysis: Obtaining the Decrypted KPOT EXE
- Reader Analysis: "Dynamic analysis technique to get decrypted KPOT Malware."
- Wireshark 3.2.3 Released: Mac Users Pay Attention Please
- Password Protected Malicious Excel Files
- New Bypass Technique or Corrupt Word Document?
- Obfuscated Excel 4 Macros
- Covid19 Domain Classifier
- Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability
- KPOT Deployed via AutoIt Script
- More COVID-19 Themed Malware
- Phishing PDF With Incremental Updates.
- Malicious Spreadsheet With Data Connection and Excel 4 Macros
- Excel Maldocs: Hidden Sheets
- Wireshark 3.2.2 Released: Windows' Users Pay Attention Please
- Maldoc: Excel 4 Macros and VBA, Devil and Angel?
- Maldoc: Excel 4 Macros in OOXML Format
- curl and SSPI
- bsdtar on Windows 10
- Video: Stego & Cryptominers
- Wireshark 3.2.1 Released
- Citrix ADC Exploits: Overview of Observed Payloads
- etl2pcapng: Convert .etl Capture Files To .pcapng Format
- KringleCon 2019
- "Nim httpclient/1.0.4"
- Corrupt Office Documents
- New oledump.py plugin: plugin_version_vba
- Extracting VBA Macros From .DWG Files
- Wireshark 3.2.0 Released
- Malicious .DWG Files?
- VirusTotal Email Submissions
- (Lazy) Sunday Maldoc Analysis: A Bit More ...
- (Lazy) Sunday Maldoc Analysis
- Wireshark 3.0.7 Released
- You Too? "Unusual Activity with Double Base64 Encoding"
- Remark on EML Attachments
- Tip: Password Managers and 2FA
- Using scdbg to Find Shellcode
- Wireshark 3.0.6 Released
- YARA's XOR Modifier
- YARA v3.11.0 released
- Maldoc, PowerShell & BITS
- Encrypted Maldoc, Wrong Password
- YARA XOR Strings: an Update
- Video: Encrypted Sextortion PDFs
- Wireshark 3.0.5 Release: Potential Windows Crash when Updating
- Encrypted Sextortion PDFs
- Compressed ISO Files (ISZ)
- Video: Analyzing DAA Files
- The DAA File Format
- Analysis of a Spearphishing Maldoc
- Malicious .DAA Attachments
- Nmap Defcon Release: 7.80
- Detecting ZLIB Compression
- Recognizing ZLIB Compression
- Video: Analyzing Compressed PowerShell Scripts
- A Python TCP proxy
- Analyzing Compressed PowerShell Scripts
- Malicious RTF Analysis CVE-2017-11882 by a Reader
- isodump.py and Malicious ISO Files
- Machine Code? No!
- Malicious XSL Files
- Machine Code?
- A "Stream O" Maldoc
- Maldoc: Payloads in User Forms
- Sysmon Version 10: DNS Logging
- Tip: Sysmon Will Log DNS Queries
- Tip: BASE64 Encoded PowerShell Scripts are Recognizable by the Amount of Letter As
- Retrieving Second Stage Payload with Ncat
- Analyzing First Stage Shellcode
- Office Document & BASE64? PowerShell!
- nmap Service Fingerprint
- Video: nmap Service Detection Customization
- Do You Remember the SUBST Command?
- Text and T
e x t - VBA Office Document: Which Version?
- Quick Tip for Dissecting CVE-2017-11882 Exploits
- Malicious VBA Office Document Without Source Code
- .rar Files and ACE Exploit CVE-2018-20250
- Analyzing UDF Files with Python
- Analysis of PDFs Created with OpenOffice/LibreOffice
- Maldoc Analysis of the Weekend by a Reader
- "404" is not Malware
- "VelvetSweatshop" Maldocs: Shellcode Analysis
- Decoding QR Codes with Python
- "VelvetSweatshop" Maldocs
- Wireshark 3.0.0 and Npcap: Some Remarks
- Video: Maldoc Analysis: Excel 4.0 Macro
- Maldoc: Excel 4.0 Macros
- Tip: Ghidra & ZIP Files
- Wireshark 3.0.0 and Npcap
- Quick and Dirty Malicious HTA Analysis
- Malicious HTA Analysis by a Reader
- Maldoc Analysis by a Reader
- Sextortion Email Variant: With QR Code
- Identifying Files: Failure Happens
- Know What You Are Logging
- Video: Finding Property Values in Office Documents
- Finding Property Values in Office Documents
- Have You Seen an Email Virus Recently?
- Video: Maldoc Analysis of the Weekend
- Maldoc Analysis of the Weekend
- Video: Analyzing a Simple HTML Phishing Attachment
- Video: Analyzing Encrypted Malicious Office Documents
- Suspicious GET Request: Do You Know What This Is?
- Quick Maldoc Analysis
- Analyzing Encrypted Malicious Office Documents
- Malicious .tar Attachments
- A Malicious JPEG? Second Example
- A Malicious JPEG?
- Maldoc with Nonfunctional Shellcode
- Make a Wheel in 2019!
- Software Crashes: A New Year's Resolution
- Video: De-DOSfuscation Example
- Matryoshka Phish
- Bitcoin "Blocklists"
- KringleCon 2018
- Password Protected ZIP with Maldoc
- De-DOSfuscation Example
- Yet Another DOSfuscation Sample
- Quickie: String Analysis is Still Useful
- Reader Malware Submission: MHT File Inside a ZIP File
- Word maldoc: yet another place to hide a command
- Video: Dissecting a CVE-2017-11882 Exploit
- Wireshark update 2.6.5 available
- Video: CyberChef: BASE64/XOR Recipe
- Dissecting a CVE-2017-11882 Exploit
- TriJklcj2HIUCheDES decryption failed?
- Windows Defender's Sandbox
- Maldoc Duplicating PowerShell Prior to Use
- Detecting Compressed RTF
- MSG Files: Compressed RTF
- CyberChef: BASE64/XOR Recipe
- Maldoc: Once More It's XOR
- YARA XOR Strings: Some Remarks
- YARA: XOR Strings
- Developing YARA Rules: a Practical Example
- Decoding Custom Substitution Encodings with translate.py
- When DOSfuscation Helps...
- Analyzing Encoded Shellcode with scdbg
- Suspicious DNS Requests ... Issued by a Firewall
- 20/20 malware vision
- User Agent String "$ua.tools.random()" ? :-) !
- "What is dikona or glirote3?"
- Video: Using scdbg to analyze shellcode
- Another quickie: Using scdbg to analyze shellcode
- "When was this machine infected?"
- Identifying numeric obfuscation
- Microsoft Publisher malware: static analysis
- OpenSSH user enumeration (CVE-2018-15473)
- Video: Peeking into msg files - revisited
- New Extortion Tricks: Now Including Your (Partial) Phone Number!
- A URL shortener handy for phishers
- Peeking into msg files - revisited
- Numeric obfuscation: another example
- Video: Maldoc analysis with standard Linux tools
- Dealing with numeric obfuscation in malicious scripts
- Malicious Word documents using DOSfuscation
- Analyzing MSG files
- Maldoc analysis with standard Linux tools
- BTC pickpockets are back
- Extracting BTC addresses from emails
- Video: Retrieving and processing JSON data (BTC example)
- Retrieving and processing JSON data (BTC example)
- dd progress indicator on OSX
- dd progress indicator on Linux
- XPS Metadata
- Progress indication for scripts on Windows
- Video: Analyzing XPS Files
- XPS samples
- Analyzing XPS files
- Guilty by association
- Encrypted Office Documents
- Quick analysis of malware created with NSIS
- DASAN GPON home routers exploits in-the-wild
- New IE 0-day in the wild
- A malicious word document with a VBA form - video
- A malicious word document with a VBA form
- Metasploit's Payload UUID
- Phishing PDFs with multiple links - Detection
- Phishing PDFs with multiple links - Animated GIF
- Phishing PDFs with multiple links
- "Error 19874: You must have Office Professional Edition to read this content, please upgrade your licence."
- Wireshark and USB
- Retrieving malware over Tor on Windows
- Analyzing MSI files
- Finding VBA signatures in .docm files
- Analyzing compressed shellcode
- Finding VBA signatures in Word documents
- An autograph from the Dridex gang
- Analyzing an HTA file: Update
- Analyzing an HTA file
- Comment your Packet Captures - Extra!
- Is this a pentest?
- HTTPS on every port?
- Retrieving malware over Tor
- An RTF phish
- Decrypting malicious PDFs with the key
- Peeking into Excel files
- PDF documents & URLs: video
- What is new?
- Analyzing TNEF files
- Dealing with obfuscated RTF files
- PDF documents & URLs: update
- Encrypted PDFs
- Phish or scam? - Part 2
- Phish or scam? - Part 1
- Sometimes it's a dud
- BTC Pickpockets
- Metasploit's Maldoc
- Extracting the text from PDF documents
- PDF documents & URLs
- PE files and debug info
- Remember ACE files?
- It's in the signature.
- Peeking into .msg files
- A strange JPEG file
- It is a resume - Part 3
- Analyzing JPEG files
- Malware analysis output sanitization
- It is a resume - Part 2
- It is a resume - Part 1
- Malware analysis: searching for dots
- It's Not An Invoice ...
- Sometimes it's just SPAM
- The Good Phishing Email
- Maldoc Analysis with ViperMonkey
- Maldoc Submitted and Analyzed
- Static Analysis of Emotet Maldoc
- Another .lnk File
- Malicious .iso Attachments
- Office maldoc + .lnk
- Basic Office maldoc analysis
- Selecting domains with random names
- PE Section Name Descriptions
- Malware and XOR - Part 2
- Malware and XOR - Part 1
- Malicious Documents: A Bit Of News
- Password History: Insights Shared by a Reader
- Domain Whitelisting With Alexa and Umbrella Lists - update
- Domain Whitelisting With Alexa and Umbrella Lists
- Another example of maldoc string obfuscation, with extra bonus: UAC bypass
- CRA Maldoc Analysis
- py2exe Decompiling - Part 2
- py2exe Decompiling - Part 1
- Pinging All The Way
- Sleeping VBS Really Wants To Sleep
- Hancitor Maldoc Videos
- Extracting Shellcode From JavaScript
- Update:ZIP With Comment
- ZIP With Comment
- VBA Shellcode and Windows 10
- VBA Shellcode and EMET
- Hancitor Maldoc Bypasses Application Whitelisting
- Maldoc VBA Anti-Analysis: Video
- Analyzing Office Maldocs With Decoder.xls
- Maldoc VBA Anti-Analysis
- Radare2: rahash2
- VBA and P-code
- .PUB Analysis
- rtfdump
- rtfobj
- Malicious RTF Files
- Python Malware - Part 4
- Practice ntds.dit File
- Office Maldoc: Let's Focus on the VBA Macros Later...
- Python Malware - Part 3
- Python Malware - Part 2
- Python Malware - Part 1
- VBS + VBE
- Handling Malware Samples
- VBE: Encoded VBS Script
- Tip: Quick Analysis of Office Maldoc
- Locky: JavaScript Deobfuscation
- Obfuscated MIME Files
- Sigcheck and VirusTotal for Offline Machine
- BlackEnergy .XLS Dropper
- A Tip For The Analysis Of MIME Files
- Failure Is An Option
- Malfunctioning Malware
- Use The Privilege
- Maldoc Social Engineering Trick
- Ransomware & Entropy: Your Turn -> Solution
- Ransomware & Entropy: Your Turn
- Ransomware & Entropy
- Don't launch that file Adobe Reader!
- Test File: PDF With Embedded DOC Dropping EICAR
- PDF + maldoc1 = maldoc2
- Sigcheck and virustotal-search
- Searching Through the VirusTotal Database
- Sigcheck and VirusTotal
- Autoruns and VirusTotal
- Process Explorer and VirusTotal
- Jump List Files Are OLE Files
- Working with base64
- A .BUP File Is An OLE File
- Analyzing Quarantine Files
- The EICAR Test File
- Another Maldoc? I'm Afraid So...
- Wireshark TCP Flags: How To Install On Windows Video
- Malicious Word Document: This Time The Maldoc Is A MIME File
- A Malicious Word Document Inside a PDF Document
- Handling Special PDF Compression Methods
- Memory Forensics Of Network Devices
- The Kill Chain: Now With Pastebin
- Wireshark TCP Flags
- VMware Product Updates Address Critical Information Disclosure Issue In JRE
- SSH Fingerprints Are Important
- YARA Rules For Shellcode
- Malicious XML: Matryoshka Edition
- From PEiD To YARA
- Maldoc VBA Sandbox/Virtualization Detection
- XML: A New Vector For An Old Trick
Threat Level: green
Handler on Duty: Didier Stevens
SANS ISC: ISC Handlers ISC Handlers
Questions? Feedback?
Use our contact form or
report bugs here
For interactive help and to chat with other users, try our Slack group.
Use our contact form or
report bugs here
For interactive help and to chat with other users, try our Slack group.
