Skip to main content


QuickSand document malware similarity clustering

One of the most powerful features of is the ability to identify similar malware samples. We can use both the structhash (an md5 based on the structure of the document) and struzzy fuzzy hash to cluster samples.

In this example, we will start with 500 recent samples of document malware with at least 10 detections on VirusTotal and write some python to count the number of unique similarity hashes. If two documents have the same structhush they likely originate from the same criminal or APT group or were generated from the same tool. We will build clusters to quickly group our 500 samples into buckets of similar samples to see what the main threats are.

Out of the 500 randomly selected malware documents, we can quickly see some clusters with up to 76 samples with an identical structure denoted by an identical stucthash.

We can use the fuzzy hash struzzy to squeeze out a few more similarities into the clusters as well. These samples might have a few minor differences as objects …
Recent posts

QuickSand 2

The 2020 CSO Online survey revealed that 94% of malware is still delivered via email. We decided to refresh into an all in one tool for analyzing both documents and PDFs for malware. Over the last few years the state of document and PDF malware has shifted dramatically from exploits to active content, exploiting the features of Office and PDF documents to deliver malware.

The web version of is a simplified result to determine if the analyzed document has active content, high risk active content, or a potential exploit. We do recommend blocking active content from external email as much as possible.

Get StartedOn any page on click the `Choose File` button under the logo on the left, then select the file to scan. Click `Scan Document or PDF` to start the analysis. Javascript is required to upload the file.
LimitsFilesize: 10MB. Documents over 10MB (max 28s of processing) or PDFs over 5MB (max 18s of processing) may timeout on the online versio… version 2.0.1 major release

Check out our new version of Now supports PDF and documents (Office OLE/OpenOffice and RTF) all in a single tool.

We now use a risk description to define the risk from each document. Generally documents or PDFs will have either active content like macros or scripts, or contain an exploit.

Signature Dev using for RTF zero day CVE-2017-8759

After reading the FireEye blog on CVE-2017-8759 we decided to quickly write a signature for the new (though not yet widely used, and now patched) zero day. We decided to use, naturally.

First we searched for the FireEye reported hash fe5c4d6bb78e170abf5cf3741868ea4c in

The first hex block looks interesting:
Clicking the sha256 link brings up the hex view, it's a OLE document embedded in the RTF. We can see a wsdl link and the highlighted hex turns out to be part of the class id, rendered as c7b0abec-197f-d211-978e-0000f8757e2a. Reversing the first three block's byte order comes out to the SoapMoniker class ID ECABB0C7-7F19-11D2-978E-0000F8757E2A

This handy list reveals the SoapMoniker class:

After some testing, we pushed out a CVE-2017-8759 signature to and the free open source version.