InQuest Blog Articles Filed Under ""

You can view all blog posts filed under this tag.

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Extracting "Sneaky" Excel XLM Macros

Posted on 2019-03-22 by aniakanlahiji

In this article, we dissect a sneaky malicious Microsoft Excel XLM file that we caught in the wild. To do so, we utilize a few open source as well as in-house tools to analyze the Excel document. During our analysis, we point out the limitations of a few popular file carving tools, such as foremost and scalpel, in extracting data from this and related samples.

threat-hunting deep-file-inspection malware-analysis yara open-source

Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

An Introduction to Deep File Inspection

Posted on 2019-03-22 by amukherejee

Deep File Inspection, or DFI, is the reassembly of packets captured off of the wire into application level content that is then reconstructed, unraveled, and dissected (decompressed, decoded, decrypted, deobfuscated) in an automated fashion. This allows heuristic analysis to better determine the intent by analysis of the file contents (containers, objects, etc.) as an artifact.

vulnerability deep-file-inspection malware-analysis

Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Adobe Flash MediaPlayer DRM Use-After-Free Vulnerability

Posted on 2019-03-22 by pedram

On February 1st, Adobe published bulletin APSA18-01 for CVE-2018-4878 describing a use-after-free (UAF) vulnerability affecting Flash versions 28.0.0.137 and earlier. As of February 6th, Adobe has patched the issue in version 28.0.0.161, APSB18-03. This post provides an overview of the vulnerability, a walk-through of the exploit seen in the wild, and covers several detection mechanisms.

0day vulnerability exploit in-the-wild deep-file-inspection yara

Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.
Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Microsoft Office DDE SEC OMB Approval Lure

Posted on 2019-03-22 by pedram

In reviewing the results of our Microsoft Office DDE malware hunt, we came across an interesting lure posing as an Securities and Exchange Commission (SEC) Office of Management and Budget (OMB) approval letter. The sample utilizes some tricks to increase chances of successful exploitation. We'll walk through the dissection of the components in this post.

threat-hunting deep-file-inspection malware-analysis

Blog Archive

InQuest Blog

Threat-hunting, malware, ransomware, vulnerability analysis and news from authors of InQuest.

Microsoft Office DDE Macro-less Command Execution Vulnerability

Posted on 2019-03-22 by pedram

On October 9th 2017, SensePost researchers posted a technique demonstrating macro-less command execution in Microsoft Office documents through Dynamic Data Exchange (DDE). While variations of this technique are known, the post sheds light on the fact that Microsoft has no intent to address the matter, and that "exploit" creation is trivial. This post provides an overview of the vulnerability, provides a mitigation, covers sample hunting, and covers the dissection of a few interesting samples gathered during the week.

vulnerability threat-hunting deep-file-inspection malware-analysis yara

Blog Archive