Author: Charlie

Fell Deeds Awake

Malicious documents exploiting CVE-2017-11882 continue to be used by malicious actors, but it has been a few years since I took a deep dive into their mechanics. A quick spelunk through our dataset produces quite a few, but I wanted an RTF example with minimal RTF obfuscation and came across …

Continue Reading

While working on some wrapper scripts for dumping OLE VBA macros and attempting to deobfuscate them in search of downloader links, I came across an annoying, but not new, edge case – VBA macros using Excel cells to store additional code. In the past I used Philippe Lagadec’s excellent ViperMonkey

Continue Reading

While searching through our data for any samples of our current pandemic and threat actors’ favorite theme, I came across a rather interesting sample. The email and DOC are rather simple but consistent in theme and lacking the usual spelling and grammatical errors.

Continue Reading

All You Need Is Text

Recently I decided to go spelunking through our data in search of any rarities that we have collected. And today I will share some of these interesting specimens. None of these samples are truly unique and most of them are already well known and well documented, but this exercise can …

Continue Reading

Shotgun Wedding

An email caught my eye this morning. Not because of a unique social engineering theme or a new delivery technique, but because of the sheer number of attachments, a shotgun approach to malware delivery. There were 3 RTF files with spoofed .doc and docx.doc extensions, an ARJ archive containing an …

Continue Reading

Recently, I stumbled on an odd Agent Tesla sample that downloaded a paste from pastebin.com. This is not a normal TTP for most actors who license Agent Tesla for use in their malicious campaigns. And to make things more interesting, the paste was the hexadecimal representation of the binary and …

Continue Reading