Monday, November 7, 2016

QuickSand += structhash

We are pleased to announce version 2 of's structural hashing algorithm "structhash" which can be used to fingerprint the structure of an office document or RTF.

Typical weaponization of malware document's use a skeleton exploit doc as part of the exploit builder process. Usually this skeleton exploit document is specific to to the kit or group behind an attack campaign. The structural hash we've developed takes into account the different streams and any XOR or ROL encoding to build a campaign specific fingerprint. You can then search for the structhash to find additional samples likely related to your campaign.

Early 0 day usage usually follows this model with one group's zero day being outed and other groups replacing the original payload with their own - so the structhash can help find additional samples of a zero day for further analysis.

Despite changes in payloads the underlying core of a malicious document doesn't change that much, the structhash can allow you to track exploits from the same author or exploit kit and reduce your workload attributing samples to campaigns automatically.

Recent APT 28 / Sofacy group / Fancy Bear attacks used the CVE-2016-4117 exploit, looking at a known sample from Palo Alto's Unit 42 report on the "Dealer's Choice" campaign:

DealersChoice.B: SHA256:af9c1b97e03c0e89c5b09d6a7bd0ba7eb58a0e35908f5675f7889c0a8273ec81 structhash is gV9m3kqVr5qe7FY

We can then search for QuickSand structhash gV9m3kqVr5qe7FY:

We then find the second sample sha256: cc68ed96ef3a67b156565acbea2db8ed911b2b31132032f3ef37413f8e2772c5 which also has the structhash of gV9m3kqVr5qe7FY.

As you can see, the structhash can be a powerful tool to group maldocs by campaign. When you are viewing report, click the "root" stream to find the structhash and search for more samples from our sample set here.

Tuesday, September 20, 2016 In Depth - Part 2 The Reports Reports

Today we're going to dig deeper into the document malware analysis reporting, and how the analyst can dig deeper into the results and extracted executables.


The report header contains the information you'd expect - analysis time (for the submitted times you'll have to look at the submissions json page). File hashes. is_malware: 0 for clean, 1 for suspicious active content, 2 for exploits and embedded executables. Score - each yara rule for exploits or active content adds to the score. Runtime - it's fast. And the yara hits - exploits - CVE #, executables windows/mac/VB and whether a PE header is found, and general - the trojan signatures from Malware Tracker. Report Header


The streams section of the report is where you can did deeper into the content and cryptanalysis results. Clicking the headers expands the sections and the indentation shows the object relationships. Grey title are less interesting, red have exploits, and brown have executables.

The distribution item in the root can be very useful. The X's indicate the part of the file where an embedded executable exists. 0 is for null sections, F is for FF sections, 1 is for high entropy areas, and A is for ascii sections such as most of an RTF file.

We are also working on a structural hash structhash of the file which can help find samples from the same attacker or exploit kit. Streams section

DOCX Files

For docx files you'll see the hierarchy of files within the zip,  and embedded OLE files or high entropy data is analyzed for embedded executables as well.

Macros and No Embedded exe's

A lot of the new macro malware won't have an embedded exe, using the distribution results below, we   can see the file is mostly null blocks "0" and does not have enough entropy to have a built in EXE.


The XOR section shows the xorkey for cryptanalysis found keys, or xortkey for a key dictionary result.

XOR block


The Rol section shows the bitwise rol used. You can click the sha256 link for a hex dump of the section, and click (str) for the extracted strings. 

Rol/Ror block

Dropped Files

The dropped files section is similar, click the number (1) to see the hexdump and (str) to see the strings. The strings section can help to get a quick ID of the trojan or find some unique strings for a quick Yara rule.

Tip: hex dumps can be converted back to files: # xxd -r webhexdump.txt > malware.virus

dropped file hex dump

dropped file extracted strings


The bottom of the page has links to a JSON version of the report and a JSON of the submissions (date, original filenames).

Thursday, September 8, 2016 in depth

In addition to our Cryptam tool. We created, a fast C document forensics tool which can conduct cryptanalysis attacks on some XOR ciphers. QuickSand is a CLI, a C Library, and can be wrapped in a web interface.

QuickSand has a lot more user-customizable attack options for special cases while keeping the default analysis as fast as possible.


Known exploits are scanned used embedded Yara, document streams are decoded - hex, base 64, zip, gzip. We don't handle PDF streams - you'll still need for that.

Finding Embedded exe's

XOR+Rol from 20-10 bytes are found instantly with the default cryptanalysis attack.

Optional attacks

XOR Lookahead - where the current byte is xored with the following byte.
Math ciphers - +1 to +255 (equivalent to -1 to -255).
Bitwise not
Brute force 1 byte xor - for when null space is not replaced.
Odd XOR lengths

Example odd xor length:

This sample contains an exe obfuscated with a 21 byte XOR key:
./quicksand.out malware/112c64f7c07a959a1cbff6621850a4ad-2.virus -s 21 -e 50000
 -0> root {3}

  -1> xor {3}

More to follow.

Thursday, July 14, 2016

Document Malware XOR distribution or dial M for Malware

We took a sampling of 5448 recent malware documents with an XOR encoded executable detected by Cryptam. Normally we spend most our time looking at APT samples with 256 byte keys, so the recent results which include quite a bit more crimeware lately were surprising.

26% of samples where encoded with the 1 byte key 0x77, followed by 11.6% 0xFD, and 6.5% 0x6A. In total 59% of samples had a one byte key.
We tried to look into the significance of this high a rate of 0x77. In ASCII, 0x77 translates to a lowercase 'w'. 7 is the country code for Russia, and decimal 77 would be an M in ASCII. According to Wikipedia, during World War II in Sweden at the border with Norway, "77" was used as a password, because the tricky pronunciation in Swedish made it easy to instantly discern whether the speaker was native Swedish, Norwegian, or German.
7.6% of samples were encoded with variants of 0xCAFEBABE, 0xBAFECABE, and 0xFECABEBA. 10% of samples were 4 byte keys.
Only 21% were 256 byte keys. Of those, 42% are an incrementing pattern 000102030405... And 16% are the opposite decreasing pattern FFFEFDFCFB...

As always, you can submit your suspicious documents for analysis with Cryptam here.

Monday, March 9, 2015

0 Detection PDF with external link to malware EXE

This morning Malware Domain List tweeted a 0/57 detection malware PDF which was/is not detected as malware by any AV product on

The PDF has the following attributes:

Original filename: 2015-03-05Label.pdf
Size: 96697 bytes
md5: 0323382619193827959ee85631f6043d
sha1: f64e86177b5b5f8db8a78c346e2a165423b4a427
sha256: bc415d1f0c8d8af1b02008f03788de7e073650893eec01296c537346b42f7244
ssdeep: 1536:s3Orf9OoEPqFlpcTVrGxokqE/3wrqx8TnWOgQSawAgl4a+E7zQGBEkc4ryH:serf9nEUpOJGmTE/BaLJ4qE7EGbmH
content/type: PDF document, version 1.5

Loading the PDF into PDFExaminer does detect an exploit, which is actually more of a "feature" of PDF to link to external content, however, linking to a remote EXE is always bad and probably should be detected in the PDF:

Drilling down to the malicious object in PDFExaminer reveals an external hyperlink to an remote executable:

Now opening the PDF reveals how a user could be exploited, but they still need to click a malicious link to download and execute the malware. So while AV may not protect you from this attack vector initially, about half the AV products tested will detect the downloaded remote executable. User education to avoid clicking suspicious links is a key defence here.

The PDF contents:

AV detection for the remote executable linked to from this PDF is 25/57:

And finally, you can use PDFExaminer for free, online to detect this and other potential threats in PDF documents.

Thursday, March 5, 2015

Return of the Mime MSO, now with Macros

Didier Stevens at Sans ISC reported a new Mime MSO XML variant used in Dridex attacks which embeds a compressed OLE document (ActiveMime), with VBA auto open macros, within a Mime MSO XML document. Previously we've only seen CVE-2012-0158 delivered in Mime MSO (of which we've previously blogged).

Cryptam our document malware analysis tool has been updated to process the base64 stream and uncompress the ActiveMime data. We anticipate this attack vector to be adapted to APT type attacks as well. In addition to VBA macros, the MSO XML specs also allow for a OLE document to be embedded as well (we also now handle this type of embedding with Cryptam). The specs also allow some flexibility in the XML to be coded as Attributes or Elements. Sample report.

The following Yara signatures will detect Mime MSO XML files and some of the newly found obfuscation techniques:

rule mime_mso
    comment = "mime mso detection"
    author = " @mwtracker"
$a and $b or $c

rule mime_mso_embedded_SuppData
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = " @mwtracker"
    date = "Mar 5 2015"

    $a = "docSuppData"
    $b = "binData"
    $c = ""

    all of them

rule mime_mso_embedded_ole
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = " @mwtracker"
    date = "Mar 5 2015"

    $a = "docOleData"
    $b = "binData"
    $c = ""

    all of them

rule mime_mso_vba_macros
    comment = "mime mso office obfuscation"
    hash = "77739ab6c20e9dfbeffa3e2e6960e156"
    author = " @mwtracker"
    date = "Mar 5 2015"

    $a = "macrosPresent=\"yes\""
    $b = ""

    all of them

Tuesday, December 23, 2014

Merry Christmas From Malware Tracker or "Christmas Card For You.doc"

Merry Christmas and happy holidays from all of us.

And your obligatory MS12-060 malware Christmas Card:

Christmas Card For You.doc
MD5 0dbe90b1dca29e2daf28ff789b3d43d3
SHA-1 71999500915dff038dc2d39facecbfbb5a907f96
SHA-256 093e394933c4545ba7019f511961b9a5ab91156cf791f45de074acad03d1a44a
Dropper imphash: 18ddf28a71089acdbab5038f58044c0a
C2 IP:
Possibly related domains: (resolves to same IP

rule malware_kis
date = "December 22, 2014"
desc = "Christmas Card for you malware"
ref = ""
MD5 = "0dbe90b1dca29e2daf28ff789b3d43d3"
author = "@mwtracker"
$s1 = "\\kis(by XC)\\MYDLL\\Release\\MYDLL.pdb"

all of them

You can view our automated Cryptam report on this sample as well as the extracted dropper's strings in Cryptam.