Category Archives: Anti-virus

A deeper look at Equation Editor CVE-2017-11882 with encoded Shellcode

Our sample today comes from My Online Security @dvk01uk from this Twitter thread Here.  The First one I had started to work on comes from this Twitter thread  here from April 26 of 2019. The encoding on the shellcode uses … Continue reading

Posted in Malware, security | Tagged , , , | Leave a comment

A look at Stomped VBA code and the P-Code in a Word Document

This sample comes from a Twitter discussion here and a second part of the thread here on April 22 2019. This discussion was started by “My Online Security @dvk01uk “. Although it appears to have a vba file in it … Continue reading

Posted in Malware | Tagged , , | Leave a comment

A look at a bmp file with embedded shellcode

The sample today is from PaulM @melsonp While watching his BSIDES Augusta talk from 2018  Here,  at that the end he shows a picture file that gets downloaded from a layered PowerShell script. He was kind enough to send me … Continue reading

Posted in Malware, PowerShell, security | Tagged , , | Leave a comment

A deeper look into a wild VBA Macro

This Sample comes from Brad Duncan @malware_traffic from his SANS ICS Diary located Here and the Files on His blog Here. For this session I will be using “2019-01-23-example-of-attached-Word-doc-1-of-7” word document. I ended up looking at this from different directions … Continue reading

Posted in Malware, Programming, VBScript | Tagged , | Leave a comment

A Look under the hood of a batch encrypted file

The sample in question today is thanks to a Twitter thread by Nick Carr @ItsReallyNick and Daniel Bohannon @danielhbohannon of FireEye located Here about this builder being used to encode batch scripts. After downloading the sample from VirusBay @virusbay_io that … Continue reading

Posted in Malware, Programming, security | Tagged , , | Leave a comment

Understanding Invoke- “X” Special Character Encoding

I say Invoke- “X” because it can be found in both Invoke-Obfuscation and in Invoke-Dosfucation. We can find a reference to the encoding scheme in this Twitter thread Here where @danielhbohannon references the the blog post from 2010 by @mutaguchi … Continue reading

Posted in Malware, PowerShell, Programming, security | Tagged , | Leave a comment

What is in this file ?

The other day I was pinged about a very large .jason file that appeared to contain a large  Base 64 string that took up almost all of the file. There was a problem extracting the base64 string do to the … Continue reading

Posted in Malware, security | Tagged , | Leave a comment