Cryptam and QuickSand.io for documents
Cryptam and QuickSand.io will parse all the various streams that can occur within an Office document such as Word, PowerPoint or Excel plus interchange formats such as RTF and mime MSO xml.
ResultsScores of over 0 but under 10 indicate active content such as Macros or ActiveX controls- again don't trust active content from unknown sources or in emails. Scores over 10 usually mean a Macro executes a shell command or a CVE-20XX-XXXX known exploit was found.
Cryptam and QuickSand.io for all non-executable filesFor non-executable files - documents, PDFs, images, TCP streams - Cryptam or QuickSand.io attempt to find obfuscated embedded execuables - Windows, Mac, Linux binaries or VBS scripts. Both tools attack the XOR and ROL/ROR/NOT obfuscation using different cryptanalysis techniques and may get different results. Generally, the final results should be very similar between the two tools - if you do find a sample which returns different or no results in one tool but a positive malware in the other, please let us know.
ResultsFor PDFs and non - documents, Cryptam and QuickSand.io will only report if an embedded executable was found - a score of 0 on a PDF only means no executable was found - you'll still need to check the PDFExaminer results for PDF specific exploits. For Office documents, a score of 0 means no known exploits or embedded executables were found.
Errors and FeedbackContact us if our tools may have missed something and you think a sample is bad, or if we detected something as bad that's actually safe.
Coming Soon to a Command Line Near YouA portable C command line version of QuickSand.io, for free, with no web or internet dependencies.
We'll tell you where to find it on GitHub and how it differs from the full commercial version in the next post. Crack some of those pesky 256 byte XOR keys without uploading your secret stash of APT malware samples to us.