Thursday, May 11, 2017

EPS obfuscation for MS Office exploits

We took a deeper look into a recent FireEye blog post on 2 new EPS exploits used while zero-day by the APT 28 / Turla group.  Both exploits have been patched. One of the samples used an interesting EPS based obfuscation technique to avoid detection. By using a 4 byte xor within native Postscript commands the exploit code can be obfuscated and decoded in memory at run time defeating static analysis.

CVE-2017-0262 Sample Report

The obfuscation

The PostScript code starts with a xor loop using key 0xC45D6491 using only built-in PostScript functionality

Using our Cryptam multi tool, we'll decode the EPS block manually:

$ php cryptam_multi.php eps.test -xor c45d6491
using XOR key c45d6491

$ ./quicksand.out eps.test.out
 -0> root {7}
  qstime:2017:05:11 14:08:48

Deobfuscated PostScript

We've added a new PostScript XOR obfuscation warning_EPS_xor_exec Yara signature to our QuickSand_Lite project our GitHub.


CVE-2017-0262 Sample [Report]
Filename Confirmation_letter.docx.bin
Size 251036 bytes
MD5 2abe3cc4bff46455a945d56c27e9fb45
SHA1 0bd354d1eea9e4864f4c17e6c22bfdb81d88ddee
SHA256 6785e29698444243677300db6a0c519909ae9e620d575e76d9be4862b33ed490

CVE-2017-0261 Sample [Report] (obfuscated)
Filename Trump's_Attack_on_Syria_English.docx
Size 268950 bytes
MD5 f8e92d8b5488ea76c40601c8f1a08790
SHA1 d5235d136cfcadbef431eea7253d80bde414db9d
SHA256 91acb0d56771af0196e34ac95194b3d0bf3200bc5f6208caf3a91286958876f9

Monday, April 10, 2017

Office 0day goes mainstream

CVE-2017-0199 MS Office Exploit

On Friday April 7, 2017, McAfee posted that a new Office zero day affecting even the most recent versions of Windows and Office was found in the wild, FireEye released a blog post the next day confirming the zero day.

Using details from the 2 posts we were able to find 5 samples from the targeted attacks which use the "htmlfile" class ID 25336920-03f9-11cf-8fd0-00AA00686f13 to load remote content with trusted permissions.   The remote content which appears to be a RTF file with an embedded HTML-style [script language="VBScript"] exploit to download and run a remote executable using powershell.

More concerning, is the emergence of a mass-emailed campaign today (April 10, 2017). Malware Tracker discovered a large campaign using the exploit and common "Scan Data" themed emails. The emails contain a randomly named nnnnnnnn[1].doc rtf file which uses the zero day exploit in a barely modified form. We have observed 2 samples - a .doc, and a .pdf version which is still a rtf file sent to dozens of users in Australia and the US.

Microsoft previously advised that this htmlfile Class ID was high risk and how to disable it. and both detect this exploit and are free to use. malware sample of CVE-2017-0199.

Update: Microsoft has patched this exploit.

Wednesday, December 14, 2016 Open Source version released

Today we are officially launching an open source licensed version of - a C command line tool to scan document streams with Yara signatures for exploits and active content as well as Cryptanalysis attacks on XOR obfuscation. Dubbed QuickSand_Lite, this version initially does not include the full Cryptanalysis module, the brute force single byte XOR, or the XOR Look Ahead algorithm.

Github Repo

In addition to the code, we are also including Yara signatures for active content, executables, some CVE exploit identification as well as a selection of general document-related Yara signatures. We've enhanced our Yara signatures with a numeric score which is used to calculate the overall badness score of a sample. Generally 1-10 are active content such as macros, 10+ are exploits or shell commands executed via the active content.

Exploit and Active Content Detection

  • Word
  • Excel
  • Powerpoint
  • RTF
  • Mime MSO xml
  • Emails

XOR + ROL/ROR/NOT/ADD/SUB Embedded Executable Detection

  • Word
  • Excel
  • Powerpoint
  • RTF
  • Mime MSO xml
  • Emails
  • PDF
  • TCP Streams data
  • Any non-executable file which may contain an XOR obfuscated exe

Executable Detection Target OS

  • Windows
  • Mac
  • Linux
  • VBS

XOR DB Cryptanalysis Attack

The XOR-DB functionality uses a dictionary of common XOR keys up to 256 bytes long - ascending, descending, algorithmic, cafebabe variants.

Web version

Our site runs the full version with up to the minute exploit signatures and additional trojan signatures.


Yara 3+ (searching via libyara)
zlib (deflate/uncompress)
libzip (unzip)

OS Compatibility

Designed for Linux and Mac command line. Windows is untested and not recommended for safe malware handling.

Download quicksand_lite Package

Install Script - Dependencies for Mac/Linux


cd quicksand_lite-1.01.001
chmod 777 ./

Coming soon

  • Python integration
  • More exploit and trojan signatures

Full Version and Commercial Licensing



mac:quicksand_lite tylabs$ ./ 

[sample with active content and shell execution]
mac:quicksand_lite tylabs$ ./quicksand.out AELM\ Entertainment\ budget\ and\ Attendance\ allowance.xls 
 -0> root {9}
  qstime:2016:12:14 17:52:32

[sample with 4 byte xor key]
mac:quicksand_lite tylabs$ ./quicksand.out cafebafe.rtf 
 -0> root {6}
  qstime:2016:12:14 17:52:50

  -1> xor {3}

[sample with 256 byte xor key + rol 5]
mac:quicksand_lite tylabs$ ./quicksand.out test2.doc 
 -0> root {7}
  qstime:2016:12:14 17:53:14

  -1> xor {2}

   -2> rol {2}

mac:quicksand_lite tylabs$ 

Tuesday, December 13, 2016

Understanding our online toolkit for phishing document/PDF forensics

Our 3 main online tools for forensic analysis of documents and PDFs are PDFExaminer, Cryptam and


Use PDFExaminer to decode or decrypt all the streams in a suspect PDF, and look for known exploits or active content such as JavaScript or Flash.


PDFExaminer will return a score of over 0 and under 10 for active content, don't trust a PDF with Active Content from emails. Some complicated forms like Passport applications will have a lot of Javascript but are safe. PDFExaminer allows an experienced analyst to drill down to view the actual Javascript. A score over 10 with a CVE-201XX-XXXX exploit ID are definitely bad, don't open those at all. See below "Cryptam and for all non-executable files" for more analysis you can do on a PDF to find obfuscated embedded executables.

Cryptam and for documents

Both  Cryptam and will parse all the various streams that can occur within an Office document such as Word, PowerPoint or Excel plus interchange formats such as RTF and mime MSO xml.


Scores of over 0 but under 10 indicate active content such as Macros or ActiveX controls- again don't trust active content from unknown sources or in emails. Scores over 10 usually mean a Macro executes a shell command or a CVE-20XX-XXXX known exploit was found.

Cryptam and for all non-executable files 

For non-executable files - documents, PDFs, images, TCP streams - Cryptam or attempt to find obfuscated embedded execuables - Windows, Mac, Linux binaries or VBS scripts. Both tools attack the XOR and ROL/ROR/NOT obfuscation using different cryptanalysis techniques and may get different results. Generally, the final results should be very similar between the two tools - if you do find a sample which returns different or no results in one tool but a positive malware in the other, please let us know.


For PDFs and non - documents, Cryptam and will only report if an embedded executable was found - a score of 0 on a PDF only means no executable was found - you'll still need to check the PDFExaminer results for PDF specific exploits. For Office documents, a score of 0 means no known exploits or embedded executables were found.

Errors and Feedback

Contact us if our tools may have missed something and you think a sample is bad, or if we detected something as bad that's actually safe.

Coming Soon to a Command Line Near You

A portable C command line version of, for free, with no web or internet dependencies.
We'll tell you where to find it on GitHub and how it differs from the full commercial version in the next post. Crack some of those pesky 256 byte XOR keys without uploading your secret stash of APT malware samples to us.

Monday, November 7, 2016

QuickSand += structhash

We are pleased to announce version 2 of's structural hashing algorithm "structhash" which can be used to fingerprint the structure of an office document or RTF.

Typical weaponization of malware document's use a skeleton exploit doc as part of the exploit builder process. Usually this skeleton exploit document is specific to to the kit or group behind an attack campaign. The structural hash we've developed takes into account the different streams and any XOR or ROL encoding to build a campaign specific fingerprint. You can then search for the structhash to find additional samples likely related to your campaign.

Early 0 day usage usually follows this model with one group's zero day being outed and other groups replacing the original payload with their own - so the structhash can help find additional samples of a zero day for further analysis.

Despite changes in payloads the underlying core of a malicious document doesn't change that much, the structhash can allow you to track exploits from the same author or exploit kit and reduce your workload attributing samples to campaigns automatically.

Recent APT 28 / Sofacy group / Fancy Bear attacks used the CVE-2016-4117 exploit, looking at a known sample from Palo Alto's Unit 42 report on the "Dealer's Choice" campaign:

DealersChoice.B: SHA256:af9c1b97e03c0e89c5b09d6a7bd0ba7eb58a0e35908f5675f7889c0a8273ec81 structhash is gV9m3kqVr5qe7FY

We can then search for QuickSand structhash gV9m3kqVr5qe7FY:

We then find the second sample sha256: cc68ed96ef3a67b156565acbea2db8ed911b2b31132032f3ef37413f8e2772c5 which also has the structhash of gV9m3kqVr5qe7FY.

As you can see, the structhash can be a powerful tool to group maldocs by campaign. When you are viewing report, click the "root" stream to find the structhash and search for more samples from our sample set here.

Tuesday, September 20, 2016 In Depth - Part 2 The Reports Reports

Today we're going to dig deeper into the document malware analysis reporting, and how the analyst can dig deeper into the results and extracted executables.


The report header contains the information you'd expect - analysis time (for the submitted times you'll have to look at the submissions json page). File hashes. is_malware: 0 for clean, 1 for suspicious active content, 2 for exploits and embedded executables. Score - each yara rule for exploits or active content adds to the score. Runtime - it's fast. And the yara hits - exploits - CVE #, executables windows/mac/VB and whether a PE header is found, and general - the trojan signatures from Malware Tracker. Report Header


The streams section of the report is where you can did deeper into the content and cryptanalysis results. Clicking the headers expands the sections and the indentation shows the object relationships. Grey title are less interesting, red have exploits, and brown have executables.

The distribution item in the root can be very useful. The X's indicate the part of the file where an embedded executable exists. 0 is for null sections, F is for FF sections, 1 is for high entropy areas, and A is for ascii sections such as most of an RTF file.

We are also working on a structural hash structhash of the file which can help find samples from the same attacker or exploit kit. Streams section

DOCX Files

For docx files you'll see the hierarchy of files within the zip,  and embedded OLE files or high entropy data is analyzed for embedded executables as well.

Macros and No Embedded exe's

A lot of the new macro malware won't have an embedded exe, using the distribution results below, we   can see the file is mostly null blocks "0" and does not have enough entropy to have a built in EXE.


The XOR section shows the xorkey for cryptanalysis found keys, or xortkey for a key dictionary result.

XOR block


The Rol section shows the bitwise rol used. You can click the sha256 link for a hex dump of the section, and click (str) for the extracted strings. 

Rol/Ror block

Dropped Files

The dropped files section is similar, click the number (1) to see the hexdump and (str) to see the strings. The strings section can help to get a quick ID of the trojan or find some unique strings for a quick Yara rule.

Tip: hex dumps can be converted back to files: # xxd -r webhexdump.txt > malware.virus

dropped file hex dump

dropped file extracted strings


The bottom of the page has links to a JSON version of the report and a JSON of the submissions (date, original filenames).

Thursday, September 8, 2016 in depth

In addition to our Cryptam tool. We created, a fast C document forensics tool which can conduct cryptanalysis attacks on some XOR ciphers. QuickSand is a CLI, a C Library, and can be wrapped in a web interface.

QuickSand has a lot more user-customizable attack options for special cases while keeping the default analysis as fast as possible.


Known exploits are scanned used embedded Yara, document streams are decoded - hex, base 64, zip, gzip. We don't handle PDF streams - you'll still need for that.

Finding Embedded exe's

XOR+Rol from 20-10 bytes are found instantly with the default cryptanalysis attack.

Optional attacks

XOR Lookahead - where the current byte is xored with the following byte.
Math ciphers - +1 to +255 (equivalent to -1 to -255).
Bitwise not
Brute force 1 byte xor - for when null space is not replaced.
Odd XOR lengths

Example odd xor length:

This sample contains an exe obfuscated with a 21 byte XOR key:
./quicksand.out malware/112c64f7c07a959a1cbff6621850a4ad-2.virus -s 21 -e 50000
 -0> root {3}

  -1> xor {3}

More to follow.