We have released OIC-CERT Malware Trend report covering the period of January till June 2018. Please download the report using URL below: OIC CERT Malware Trend Report H1 2018 Reference: https://www.oic-cert.org/en/malwarereport.html
Forensic Challenge 2010/6 – Analyzing Malicious Portable Destructive Files is now live
Another challenge is ready to be tackled by forensic analysts, students, hackers and alike. This time, we present you with an attack vector that has become quite successful: malicious PDF files! For challenge 6 of our series (provided by Mahmud Ab Rahman and Ahmad Azizan Idris from the Malaysia Honeynet Project Chapter) we present you […]
Update for Gallus Nov 3, 2010
Here are some of the major changes in the recent Gallus: Improved extraction of malform PDF object structure Added CAPTCHA functionality within sample submission Integrate virustotal API as ‘two-factor verification’ of sample analysis Added support for Adobe LibTIFF exploit analysis and detection If you happen to come across with error/bugs while using Gallus, feel free […]
No endstream, no endobj, no worries
In analyzing malicious PDF documents, being able to understand the format of its object structure is definitely useful. In order to look for malicious content inside the file, we might need to go through some of the process that’ll include interpreting the PDF object structure. The PDF object is enclosed with “obj” and “endobj”. Between […]
Gallus, yet another PDF analyzer (alpha)
Introducing Gallus Gallus is a web-based malware detection service specifically to extract and analyze suspected malicious PDF documents. It is a free service designed to help security researchers and public to detect exploits and extract other useful information contained in PDF documents. How Gallus Works Gallus is designed to extract and analyze the malicious components […]
From Adobe Reader exploit to Foxit Reader exploit
Today, Gallus received a PDF sample submission with md5 hash 37b98d28762ceeaa5146e2e0fc0a3fdd. Marked as malicious, I was compelled to investigate further on this sample after looking at the potential malware URL produced by Gallus report. The PDF sample contains URLDownloadToFile payload that points to hxxp://77.x.y.Z/webmail/inc/web/load.php?stat=3DWindows. Traversing the URL at hxxp://77.x.y.Z/webmail/inc/web/, I managed to retrieve the HTML […]
PDF Stream Filters – Part 2
It is very interesting to study the obfuscation techniques used by the attackers in malicious PDF docs. As of my previous blog entry, one of the simplest, yet interesting obfuscation technique used is the cascading filtering. This basically means that the malicious JavaScript code is embedded below the multiple layers of encoded stream. In this […]
PDF Stream Filter – Part 1
One of the challenges in analyzing malicious PDF document is stream filtering. Malicious contents in PDF file are usually compressed with stream filtering thus making analysis a bit complicated. In a PDF document , stream object consists of stream dictionary, stream keyword, a sequence of bytes, and endstream keyword. A malicious content inside PDF file […]
Honeynet Project Annual workshop 2010
The Annual Honeynet Project workshop this year was held at Mexico City, Mexico. The workshop enables chapters from all over the globe to meet, discuss ideas, share experiences and develop our toolsets for data collection and analysis. It is an extremely valuable and unique event, where chapters from around 20 countries find the time to […]
Embedded Zbot trojan inside PDF file
We came across this new variant of malicious PDF that contains a ZBot infostealer Trojan. When a user open the PDF file, a pop up will ask the whether the user would like to save a file called Royal_Mail_Delivery_Notice.pdf. The unsuspecting user might assume that the file is just a PDF file, and therefore will […]
You must be logged in to post a comment.