Author: Charlie

Note to reader: If you are following along, you will need a VPN connection that supports a large list of geographic endpoints. I have found South American and Eastern Bloc countries are good choices for endpoints.

Many downloaders have a double-edged goal in mind – make it easy for the …

Continue Reading

Down the Rabbit Hole

I regularly check each of our sandbox environments for reports with suspicous yara rule hits and yet no IoCs or network traffic. If any of these reports are maldocs, then I attempt to deobfuscate them and discover whether a sandbox check resulted in the failure to detonate. During one of …

Continue Reading

Connecting the Dots

While reviewing the backlog of blogs and news articles that always accumulate over the holidays, I stumbled across an interesting Dridex downloader sample discussed here. I had recently analyzed a similar sample, but the XLM macro was obfuscated and stored in a single cell in the spreadsheet. What peaked …

Continue Reading

Time for another spelunking session. While scanning our data for any samples with detection hits but no sandbox detonation, I came across an XLS attachment from an Italian language email.

Figure 1 – Original Email

It was flagged as containing VBA macros and a hidden XLM sheet, so let’s examine …

Continue Reading

Fell Deeds Awake

Malicious documents exploiting CVE-2017-11882 continue to be used by malicious actors, but it has been a few years since I took a deep dive into their mechanics. A quick spelunk through our dataset produces quite a few, but I wanted an RTF example with minimal RTF obfuscation and came across …

Continue Reading

While working on some wrapper scripts for dumping OLE VBA macros and attempting to deobfuscate them in search of downloader links, I came across an annoying, but not new, edge case – VBA macros using Excel cells to store additional code. In the past I used Philippe Lagadec’s excellent ViperMonkey

Continue Reading

While searching through our data for any samples of our current pandemic and threat actors’ favorite theme, I came across a rather interesting sample. The email and DOC are rather simple but consistent in theme and lacking the usual spelling and grammatical errors.

Continue Reading

All You Need Is Text

Recently I decided to go spelunking through our data in search of any rarities that we have collected. And today I will share some of these interesting specimens. None of these samples are truly unique and most of them are already well known and well documented, but this exercise can …

Continue Reading