- Unprotecting Malicious Documents For Inspection
- DDE and oledump
- Quickie: Extracting HTTP URLs With tshark
- Video: tshark & Malware Analysis
- Quickie: tshark & Malware Analysis
- YARA v4.0.5
- Wireshark 3.4.3 Released
- YARA v4.0.4
- Video: Doc & RTF Malicious Document
- CyberChef: Analyzing OOXML Files for URLs
- Doc & RTF Malicious Document
- New Release of Sysmon Adding Detection for Process Tampering
- Maldoc Analysis With CyberChef
- Maldoc Strings Analysis
- Strings 2021
- Quickie: Bit Shifting With translate.py
- base64dump.py Supported Encodings
- Quickie: String Analysis & Maldocs
- Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working
- Wireshark 3.4.2 Released
- Analyzing FireEye Maldocs
- KringleCon 2020
- Wireshark 3.4.1 Released
- Office 95 Excel 4 Macros
- Corrupt BASE64 Strings: Detection and Decoding
- oledump's Indicators (video)
- Decrypting PowerShell Payloads (video)
- Quick Tip: Using JARM With a SOCKS Proxy
- Quick Tip: Cobalt Strike Beacon Analysis
- Quick Tip: Extracting all VBA Code from a Maldoc - JSON Format
- oledump's ! Indicator
- Quick Tip: Extracting all VBA Code from a Maldoc
- AV Cleaned Maldoc
- Wireshark 3.2.8 and 3.4.0 Released
- More File Selection Gaffes
- Excel 4 Macros: "Abnormal Sheet Visibility"
- Video: Pascal Strings
- File Selection Gaffe
- Nested .MSGs: Turtles All The Way Down
- Analyzing MSG Files With plugin_msg_summary
- Open Packaging Conventions
- Obfuscation and Repetition
- Nmap 7.90 Released
- Decoding Corrupt BASE64 Strings
- Wireshark 3.2.7 Released
- Office Documents with Embedded Objects
- Office: About OLE and ZIP Files
- Finding The Original Maldoc
- Malicious Excel Sheet with a NULL VT Score: More Info
- Small Challenge: A Simple Word Maldoc - Part 4
- Small Challenge: A Simple Word Maldoc - Part 3
- Wireshark 3.2.6 Released
- Small Challenge: A Simple Word Maldoc - Part 2
- Small Challenge: A Simple Word Maldoc
- Analyzing Metasploit ASP .NET Payloads
- Cracking Maldoc VBA Project Passwords
- ndisasm Update 2.15
- Zone.Identifier: A Couple Of Observations
- VBA Project Passwords
- Maldoc: VBA Purging Example
- CVE-2020-5902: F5 BIG-IP RCE Vulnerability
- CVE-2020-5902 F5 BIG-IP Exploitation Attempt
- Wireshark 3.2.5 Released
- Sysmon and Alternate Data Streams
- Video: YARA's BASE64 Strings
- Comparing Office Documents with WinMerge
- ISC Handler Series: SANS@MIC - Maldocs: a bit of blue, a bit of red
- YARA's BASE64 Strings
- Translating BASE64 Obfuscated Scripts
- XLMMacroDeobfuscator: An Update
- YARA v4.0.1
- Zloader Maldoc Analysis With xlm-deobfuscator
- Wireshark 3.2.4 Released
- Some Strings to Remember
- Antivirus & Multiple Detections
- Excel 4 Macro Analysis: XLMMacroDeobfuscator
- YARA v4.0.0: BASE64 Strings
- Sysmon and File Deletion
- ZIP & AES
- Video: Malformed .docm File
- MALWARE Bazaar
- KPOT AutoIt Script: Analysis
- KPOT Analysis: Obtaining the Decrypted KPOT EXE
- Reader Analysis: "Dynamic analysis technique to get decrypted KPOT Malware."
- Wireshark 3.2.3 Released: Mac Users Pay Attention Please
- Password Protected Malicious Excel Files
- New Bypass Technique or Corrupt Word Document?
- Obfuscated Excel 4 Macros
- Covid19 Domain Classifier
- Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability
- KPOT Deployed via AutoIt Script
- More COVID-19 Themed Malware
- Phishing PDF With Incremental Updates.
- Malicious Spreadsheet With Data Connection and Excel 4 Macros
- Excel Maldocs: Hidden Sheets
- Wireshark 3.2.2 Released: Windows' Users Pay Attention Please
- Maldoc: Excel 4 Macros and VBA, Devil and Angel?
- Maldoc: Excel 4 Macros in OOXML Format
- curl and SSPI
- bsdtar on Windows 10
- Video: Stego & Cryptominers
- Wireshark 3.2.1 Released
- Citrix ADC Exploits: Overview of Observed Payloads
- etl2pcapng: Convert .etl Capture Files To .pcapng Format
- KringleCon 2019
- "Nim httpclient/1.0.4"
- Corrupt Office Documents
- New oledump.py plugin: plugin_version_vba
- Extracting VBA Macros From .DWG Files
- Wireshark 3.2.0 Released
- Malicious .DWG Files?
- VirusTotal Email Submissions
- (Lazy) Sunday Maldoc Analysis: A Bit More ...
- (Lazy) Sunday Maldoc Analysis
- Wireshark 3.0.7 Released
- You Too? "Unusual Activity with Double Base64 Encoding"
- Remark on EML Attachments
- Tip: Password Managers and 2FA
- Using scdbg to Find Shellcode
- Wireshark 3.0.6 Released
- YARA's XOR Modifier
- YARA v3.11.0 released
- Maldoc, PowerShell & BITS
- Encrypted Maldoc, Wrong Password
- YARA XOR Strings: an Update
- Video: Encrypted Sextortion PDFs
- Wireshark 3.0.5 Release: Potential Windows Crash when Updating
- Encrypted Sextortion PDFs
- Compressed ISO Files (ISZ)
- Video: Analyzing DAA Files
- The DAA File Format
- Analysis of a Spearphishing Maldoc
- Malicious .DAA Attachments
- Nmap Defcon Release: 7.80
- Detecting ZLIB Compression
- Recognizing ZLIB Compression
- Video: Analyzing Compressed PowerShell Scripts
- A Python TCP proxy
- Analyzing Compressed PowerShell Scripts
- Malicious RTF Analysis CVE-2017-11882 by a Reader
- isodump.py and Malicious ISO Files
- Machine Code? No!
- Malicious XSL Files
- Machine Code?
- A "Stream O" Maldoc
- Maldoc: Payloads in User Forms
- Sysmon Version 10: DNS Logging
- Tip: Sysmon Will Log DNS Queries
- Tip: BASE64 Encoded PowerShell Scripts are Recognizable by the Amount of Letter As
- Retrieving Second Stage Payload with Ncat
- Analyzing First Stage Shellcode
- Office Document & BASE64? PowerShell!
- nmap Service Fingerprint
- Video: nmap Service Detection Customization
- Do You Remember the SUBST Command?
- Text and T
e x t - VBA Office Document: Which Version?
- Quick Tip for Dissecting CVE-2017-11882 Exploits
- Malicious VBA Office Document Without Source Code
- .rar Files and ACE Exploit CVE-2018-20250
- Analyzing UDF Files with Python
- Analysis of PDFs Created with OpenOffice/LibreOffice
- Maldoc Analysis of the Weekend by a Reader
- "404" is not Malware
- "VelvetSweatshop" Maldocs: Shellcode Analysis
- Decoding QR Codes with Python
- "VelvetSweatshop" Maldocs
- Wireshark 3.0.0 and Npcap: Some Remarks
- Video: Maldoc Analysis: Excel 4.0 Macro
- Maldoc: Excel 4.0 Macros
- Tip: Ghidra & ZIP Files
- Wireshark 3.0.0 and Npcap
- Quick and Dirty Malicious HTA Analysis
- Malicious HTA Analysis by a Reader
- Maldoc Analysis by a Reader
- Sextortion Email Variant: With QR Code
- Identifying Files: Failure Happens
- Know What You Are Logging
- Video: Finding Property Values in Office Documents
- Finding Property Values in Office Documents
- Have You Seen an Email Virus Recently?
- Video: Maldoc Analysis of the Weekend
- Maldoc Analysis of the Weekend
- Video: Analyzing a Simple HTML Phishing Attachment
- Video: Analyzing Encrypted Malicious Office Documents
- Suspicious GET Request: Do You Know What This Is?
- Quick Maldoc Analysis
- Analyzing Encrypted Malicious Office Documents
- Malicious .tar Attachments
- A Malicious JPEG? Second Example
- A Malicious JPEG?
- Maldoc with Nonfunctional Shellcode
- Make a Wheel in 2019!
- Software Crashes: A New Year's Resolution
- Video: De-DOSfuscation Example
- Matryoshka Phish
- Bitcoin "Blocklists"
- KringleCon 2018
- Password Protected ZIP with Maldoc
- De-DOSfuscation Example
- Yet Another DOSfuscation Sample
- Quickie: String Analysis is Still Useful
- Reader Malware Submission: MHT File Inside a ZIP File
- Word maldoc: yet another place to hide a command
- Video: Dissecting a CVE-2017-11882 Exploit
- Wireshark update 2.6.5 available
- Video: CyberChef: BASE64/XOR Recipe
- Dissecting a CVE-2017-11882 Exploit
- TriJklcj2HIUCheDES decryption failed?
- Windows Defender's Sandbox
- Maldoc Duplicating PowerShell Prior to Use
- Detecting Compressed RTF
- MSG Files: Compressed RTF
- CyberChef: BASE64/XOR Recipe
- Maldoc: Once More It's XOR
- YARA XOR Strings: Some Remarks
- YARA: XOR Strings
- Developing YARA Rules: a Practical Example
- Decoding Custom Substitution Encodings with translate.py
- When DOSfuscation Helps...
- Analyzing Encoded Shellcode with scdbg
- Suspicious DNS Requests ... Issued by a Firewall
- 20/20 malware vision
- User Agent String "$ua.tools.random()" ? :-) !
- "What is dikona or glirote3?"
- Video: Using scdbg to analyze shellcode
- Another quickie: Using scdbg to analyze shellcode
- "When was this machine infected?"
- Identifying numeric obfuscation
- Microsoft Publisher malware: static analysis
- OpenSSH user enumeration (CVE-2018-15473)
- Video: Peeking into msg files - revisited
- New Extortion Tricks: Now Including Your (Partial) Phone Number!
- A URL shortener handy for phishers
- Peeking into msg files - revisited
- Numeric obfuscation: another example
- Video: Maldoc analysis with standard Linux tools
- Dealing with numeric obfuscation in malicious scripts
- Malicious Word documents using DOSfuscation
- Analyzing MSG files
- Maldoc analysis with standard Linux tools
- BTC pickpockets are back
- Extracting BTC addresses from emails
- Video: Retrieving and processing JSON data (BTC example)
- Retrieving and processing JSON data (BTC example)
- dd progress indicator on OSX
- dd progress indicator on Linux
- XPS Metadata
- Progress indication for scripts on Windows
- Video: Analyzing XPS Files
- XPS samples
- Analyzing XPS files
- Guilty by association
- Encrypted Office Documents
- Quick analysis of malware created with NSIS
- DASAN GPON home routers exploits in-the-wild
- New IE 0-day in the wild
- A malicious word document with a VBA form - video
- A malicious word document with a VBA form
- Metasploit's Payload UUID
- Phishing PDFs with multiple links - Detection
- Phishing PDFs with multiple links - Animated GIF
- Phishing PDFs with multiple links
- "Error 19874: You must have Office Professional Edition to read this content, please upgrade your licence."
- Wireshark and USB
- Retrieving malware over Tor on Windows
- Analyzing MSI files
- Finding VBA signatures in .docm files
- Analyzing compressed shellcode
- Finding VBA signatures in Word documents
- An autograph from the Dridex gang
- Analyzing an HTA file: Update
- Analyzing an HTA file
- Comment your Packet Captures - Extra!
- Is this a pentest?
- HTTPS on every port?
- Retrieving malware over Tor
- An RTF phish
- Decrypting malicious PDFs with the key
- Peeking into Excel files
- PDF documents & URLs: video
- What is new?
- Analyzing TNEF files
- Dealing with obfuscated RTF files
- PDF documents & URLs: update
- Encrypted PDFs
- Phish or scam? - Part 2
- Phish or scam? - Part 1
- Sometimes it's a dud
- BTC Pickpockets
- Metasploit's Maldoc
- Extracting the text from PDF documents
- PDF documents & URLs
- PE files and debug info
- Remember ACE files?
- It's in the signature.
- Peeking into .msg files
- A strange JPEG file
- It is a resume - Part 3
- Analyzing JPEG files
- Malware analysis output sanitization
- It is a resume - Part 2
- It is a resume - Part 1
- Malware analysis: searching for dots
- It's Not An Invoice ...
- Sometimes it's just SPAM
- The Good Phishing Email
- Maldoc Analysis with ViperMonkey
- Maldoc Submitted and Analyzed
- Static Analysis of Emotet Maldoc
- Another .lnk File
- Malicious .iso Attachments
- Office maldoc + .lnk
- Basic Office maldoc analysis
- Selecting domains with random names
- PE Section Name Descriptions
- Malware and XOR - Part 2
- Malware and XOR - Part 1
- Malicious Documents: A Bit Of News
- Password History: Insights Shared by a Reader
- Domain Whitelisting With Alexa and Umbrella Lists - update
- Domain Whitelisting With Alexa and Umbrella Lists
- Another example of maldoc string obfuscation, with extra bonus: UAC bypass
- CRA Maldoc Analysis
- py2exe Decompiling - Part 2
- py2exe Decompiling - Part 1
- Pinging All The Way
- Sleeping VBS Really Wants To Sleep
- Hancitor Maldoc Videos
- Extracting Shellcode From JavaScript
- Update:ZIP With Comment
- ZIP With Comment
- VBA Shellcode and Windows 10
- VBA Shellcode and EMET
- Hancitor Maldoc Bypasses Application Whitelisting
- Maldoc VBA Anti-Analysis: Video
- Analyzing Office Maldocs With Decoder.xls
- Maldoc VBA Anti-Analysis
- Radare2: rahash2
- VBA and P-code
- .PUB Analysis
- rtfdump
- rtfobj
- Malicious RTF Files
- Python Malware - Part 4
- Practice ntds.dit File
- Office Maldoc: Let's Focus on the VBA Macros Later...
- Python Malware - Part 3
- Python Malware - Part 2
- Python Malware - Part 1
- VBS + VBE
- Handling Malware Samples
- VBE: Encoded VBS Script
- Tip: Quick Analysis of Office Maldoc
- Locky: JavaScript Deobfuscation
- Obfuscated MIME Files
- Sigcheck and VirusTotal for Offline Machine
- BlackEnergy .XLS Dropper
- A Tip For The Analysis Of MIME Files
- Failure Is An Option
- Malfunctioning Malware
- Use The Privilege
- Maldoc Social Engineering Trick
- Ransomware & Entropy: Your Turn -> Solution
- Ransomware & Entropy: Your Turn
- Ransomware & Entropy
- Don't launch that file Adobe Reader!
- Test File: PDF With Embedded DOC Dropping EICAR
- PDF + maldoc1 = maldoc2
- Sigcheck and virustotal-search
- Searching Through the VirusTotal Database
- Sigcheck and VirusTotal
- Autoruns and VirusTotal
- Process Explorer and VirusTotal
- Jump List Files Are OLE Files
- Working with base64
- A .BUP File Is An OLE File
- Analyzing Quarantine Files
- The EICAR Test File
- Another Maldoc? I'm Afraid So...
- Wireshark TCP Flags: How To Install On Windows Video
- Malicious Word Document: This Time The Maldoc Is A MIME File
- A Malicious Word Document Inside a PDF Document
- Handling Special PDF Compression Methods
- Memory Forensics Of Network Devices
- The Kill Chain: Now With Pastebin
- Wireshark TCP Flags
- VMware Product Updates Address Critical Information Disclosure Issue In JRE
- SSH Fingerprints Are Important
- YARA Rules For Shellcode
- Malicious XML: Matryoshka Edition
- From PEiD To YARA
- Maldoc VBA Sandbox/Virtualization Detection
- XML: A New Vector For An Old Trick