Skip to main content

Posts

QuickSand 2

The 2020 CSO Online survey revealed that 94% of malware is still delivered via email. We decided to refresh QuickSand.io into an all in one tool for analyzing both documents and PDFs for malware. Over the last few years the state of document and PDF malware has shifted dramatically from exploits to active content, exploiting the features of Office and PDF documents to deliver malware.


The web version of QuickSand.io is a simplified result to determine if the analyzed document has active content, high risk active content, or a potential exploit. We do recommend blocking active content from external email as much as possible.

Get StartedOn any page on https://quicksand.io click the `Choose File` button under the logo on the left, then select the file to scan. Click `Scan Document or PDF` to start the analysis. Javascript is required to upload the file.
LimitsFilesize: 10MB. Documents over 10MB (max 28s of processing) or PDFs over 5MB (max 18s of processing) may timeout on the online versio…
Recent posts

QuickSand.io version 2.0.1 major release

Check out our new version of QuickSand.io. Now supports PDF and documents (Office OLE/OpenOffice and RTF) all in a single tool.


We now use a risk description to define the risk from each document. Generally documents or PDFs will have either active content like macros or scripts, or contain an exploit.

Signature Dev using QuickSand.io for RTF zero day CVE-2017-8759

After reading the FireEye blog on CVE-2017-8759 we decided to quickly write a signature for the new (though not yet widely used, and now patched) zero day. We decided to use QuickSand.io, naturally.

First we searched for the FireEye reported hash fe5c4d6bb78e170abf5cf3741868ea4c in QuickSand.io.

The first hex block looks interesting:
Clicking the sha256 link brings up the hex view, it's a OLE document embedded in the RTF. We can see a wsdl link and the highlighted hex turns out to be part of the class id, rendered as c7b0abec-197f-d211-978e-0000f8757e2a. Reversing the first three block's byte order comes out to the SoapMoniker class ID ECABB0C7-7F19-11D2-978E-0000F8757E2A

This handy list reveals the SoapMoniker class:


After some testing, we pushed out a CVE-2017-8759 signature to QuickSand.io and the free open source version.

EPS obfuscation for MS Office exploits

We took a deeper look into a recent FireEye blog post on 2 new EPS exploits used while zero-day by the APT 28 / Turla group.  Both exploits have been patched. One of the samples used an interesting EPS based obfuscation technique to avoid detection. By using a 4 byte xor within native Postscript commands the exploit code can be obfuscated and decoded in memory at run time defeating static analysis.

CVE-2017-0262 Sample






QuickSand.io Report

The obfuscation The PostScript code starts with a xor loop using key 0xC45D6491 using only built-in PostScript functionality


Using our Cryptam multi tool, we'll decode the EPS block manually:
$ php cryptam_multi.php eps.test -xor c45d6491 using XOR key c45d6491

$ ./quicksand.out eps.test.out  -0> root {7}   md5:237e6dcbc6af50ef5f5211818522c463   sha1:228c21dff49376c0946fe2bbe21448bbdbfcf13a   sha256:385655e10c8a7718bb50e969979cf4f08a2380f67827ce01d05874c49b3a5c13   head:7b202f48656c7665   size:347320   yara:exploits:exploit_cve_2017_0262   yara:executable…

Office 0day goes mainstream

CVE-2017-0199 MS Office Exploit

On Friday April 7, 2017, McAfee posted that a new Office zero day affecting even the most recent versions of Windows and Office was found in the wild, FireEye released a blog post the next day confirming the zero day.

Using details from the 2 posts we were able to find 5 samples from the targeted attacks which use the "htmlfile" class ID 25336920-03f9-11cf-8fd0-00AA00686f13 to load remote content with trusted permissions.   The remote content which appears to be a RTF file with an embedded HTML-style [script language="VBScript"] exploit to download and run a remote executable using powershell.

More concerning, is the emergence of a mass-emailed campaign today (April 10, 2017). Malware Tracker discovered a large campaign using the exploit and common "Scan Data" themed emails. The emails contain a randomly named nnnnnnnn[1].doc rtf file which uses the zero day exploit in a barely modified form. We have observed 2 samples - a …

QuickSand.io Open Source version released

Today we are officially launching an open source licensed version of QuickSand.io - a C command line tool to scan document streams with Yara signatures for exploits and active content as well as Cryptanalysis attacks on XOR obfuscation. Dubbed QuickSand_Lite, this version initially does not include the full Cryptanalysis module, the brute force single byte XOR, or the XOR Look Ahead algorithm.

Github Repo https://github.com/tylabs/quicksand_lite


In addition to the code, we are also including Yara signatures for active content, executables, some CVE exploit identification as well as a selection of general document-related Yara signatures. We've enhanced our Yara signatures with a numeric score which is used to calculate the overall badness score of a sample. Generally 1-10 are active content such as macros, 10+ are exploits or shell commands executed via the active content.

Exploit and Active Content Detection
WordExcelPowerpointRTFMime MSO xmlEmails

XOR + ROL/ROR/NOT/ADD/SUB Embedd…

Understanding our online toolkit for phishing document/PDF forensics

Our 3 main online tools for forensic analysis of documents and PDFs are PDFExaminer, Cryptam and QuickSand.io.

PDFs
Use PDFExaminer to decode or decrypt all the streams in a suspect PDF, and look for known exploits or active content such as JavaScript or Flash.

ResultsPDFExaminer will return a score of over 0 and under 10 for active content, don't trust a PDF with Active Content from emails. Some complicated forms like Passport applications will have a lot of Javascript but are safe. PDFExaminer allows an experienced analyst to drill down to view the actual Javascript. A score over 10 with a CVE-201XX-XXXX exploit ID are definitely bad, don't open those at all. See below "Cryptam and QuickSand.io for all non-executable files" for more analysis you can do on a PDF to find obfuscated embedded executables.


Cryptam and QuickSand.io for documents
Both  Cryptam and QuickSand.io will parse all the various streams that can occur within an Office document such as Word, PowerP…