deep-file-inspection

March 2021

What we all need now and again is some exciting news, and since we have some, we wanted to make an article to share it! Earlier this month, our friends at Abuse.ch officially announced in a tweet that their MalwareBazaar project has integrated with InQuest’s Deep File Inspection (DFI) analysis stack.
At InQuest, we're fanatical about malware analysis and ingest real-world samples at-scale, dissecting millions of files daily. We leverage a combination of our Deep File Inspection (DFI™) analysis engine and a proprietary machine-learning apparatus to distill a daily volume of millions of samples down to a harvest consisting of dozens of "interesting" samples.

February 2021

The staff at InQuest have been busy running a variety of different research experiments in the realm of bleeding-edge maldoc discovery to ensure the efficacy of detection for our customers and generate threat intelligence. One such experiment is our Twitter bot that tweets about malicious stage-2 RTFs referenced from documents found within the InQuest Labs Corpus. Another additional research project includes the mass curation and password cracking attempts of encrypted files.

August 2020

Two common approaches are commonly used to help fulfill the requirement for protecting the security of an organization. Defense in depth describes the layered, redundant approach to cover a variety of attack vectors. Detection in depth describes the multiple detection points within an attack chain. In an effort to throw everything and the kitchen sink at the problems associated with cyber defense, InQuest has incorporated Detection in-depth methodologies alongside our intelligent orchestration in order to help Prevent, Detect, and Hunt the cyber-threats impacting our modern world.
A while back we had an interesting alert generated from one of the InQuest DFI sensors that were initially very suspicious, but proved to be entertaining and still questionable regarding the true purpose of the activity. My initial suspicion was driven to an event highlighting an Image with an Embedded executable.

July 2020

While we come across fresh and evasive document carriers on a regular basis, it's not every day we see one with great polish. On July 20th we broke down the individual components of a malicious Office document and drove some collaboration within the Twitter Thread.

May 2020

Beyond the capability of identifying, extracting, and exposing malicious content from hundreds of file types. InQuest Deep File Inspection (DFI) utilizes machine vision and optical character recognition (OCR) to identify the social engineering component of a variety of malware lures. This is one of the myriads of techniques that we employ to detect novel malware that may leverage previous unseen pivots.
In this blog, we dissect a novel and stealthy Excel Macrosheet fueled malware campaign that currently bypasses most protection stacks to deliver ZLoader to its victims. We trace the earliest appearance to Monday, May 4th (Star Wars Day), and continue to actively track this evolving campaign.

April 2020

Whether it’s intellectual property, proprietary code, personal data, or financial information, the goal of information security is to protect those assets. However, data-breaches have become common-place and resulted in an average cost of $3.92 M in 2019 per Digital Guardian.

March 2020

In this post, we provide a detailed analysis of an interesting Excel 4.0 XLM macrosheet maldoc distribution campaign that is tied to a variety of executable payloads, a subject matter we'll be covering in a future blog. As of the time of writing, detection rates for this class of attack are relatively low, and these samples happily bypass the internal GSuite and O365 protection mechanisms.

December 2019

No one wants to get coal in their stocking, but it does happen. Unfortunately, your stocking is a computer, and bad guys are delivering the coal in the form of Ransomware.

November 2019

Field notes pertaining to a low detection (5/60) malicious document that leverages a macro+form to pivot to VBE in serb.xml from jplymell[.]com. The lure then pivots to smartapp.jpg, a PE32 executable from the same source. An executable with much better detection than the carrier which delivered it (17/69).

September 2019

Introduction In this blog, we discuss Adobe Extensible Metadata Platform (XMP) identifiers (IDs) and how they can be used as both pivot and detection anchors. Defined as a standard for mapping graphical asset relationships, XMP allows for tracking of both parent-child relationships and individual revisions. There are three categories of identifiers: original document, document, and instance.

August 2019

InQuest has just released a new analysis suite for the researcher and hobbyist. Welcome to InQuest Labs! Our CTO, Pedram Amini, presented Worm Charming: Harvesting Malware Lures for Fun and Profit at Blackhat USA 2019. During this talk, Pedram detailed the harvesting mechanism that drives the DFI portion of InQuest Labs. Capable of ingesting malware at scale, samples are fed through a lightweight and less featured version of Deep File Inspection to extract embedded logic, semantic content, metadata, and IOCs such as URLs, domains, IPs, e-mails, and file names.

January 2019

In this article, we dissect a sneaky malicious Microsoft Excel XLM file that we caught in the wild. To do so, we utilize a few open source as well as in-house tools to analyze the Excel document. During our analysis, we point out the limitations of a few popular file carving tools, such as foremost and scalpel, in extracting data from this and related samples.

February 2018

On February 1st, Adobe published bulletin APSA18-01 for CVE-2018-4878 describing a use-after-free (UAF) vulnerability affecting Flash versions 28.0.0.137 and earlier. As of February 6th, Adobe has patched the issue in version 28.0.0.161, APSB18-03. This post provides an overview of the vulnerability, a walk-through of the exploit seen in the wild, and covers several detection mechanisms.

January 2018

InQuest provides an on-premises network-focused security solution deployed at many high-volume, mission critical environments, including DISA’s Joint Regional Security Stack (JRSS)1. JRSS comprises a regional network security architecture subset for the Joint Information Environment (JIE), administered by DISA 2.

October 2017

In reviewing the results of our Microsoft Office DDE malware hunt, we came across an interesting lure posing as an Securities and Exchange Commission (SEC) Office of Management and Budget (OMB) approval letter. The sample utilizes some tricks to increase chances of successful exploitation. We'll walk through the dissection of the components in this post.
On October 9th 2017, SensePost researchers posted a technique demonstrating macro-less command execution in Microsoft Office documents through Dynamic Data Exchange (DDE). While variations of this technique are known, the post sheds light on the fact that Microsoft has no intent to address the matter, and that "exploit" creation is trivial. This post provides an overview of the vulnerability, provides a mitigation, covers sample hunting, and covers the dissection of a few interesting samples gathered during the week.