Skip to main content


Showing posts from 2015

0 Detection PDF with external link to malware EXE

This morning Malware Domain List tweeted a 0/57 detection malware PDF which was/is not detected as malware by any AV product on

The PDF has the following attributes:
Original filename: 2015-03-05Label.pdf Size: 96697 bytes md5: 0323382619193827959ee85631f6043d sha1: f64e86177b5b5f8db8a78c346e2a165423b4a427 sha256: bc415d1f0c8d8af1b02008f03788de7e073650893eec01296c537346b42f7244 ssdeep: 1536:s3Orf9OoEPqFlpcTVrGxokqE/3wrqx8TnWOgQSawAgl4a+E7zQGBEkc4ryH:serf9nEUpOJGmTE/BaLJ4qE7EGbmH content/type: PDF document, version 1.5

Loading the PDF into PDFExaminer does detect an exploit, which is actually more of a "feature" of PDF to link to external content, however, linking to a remote EXE is always bad and probably should be detected in the PDF:

Drilling down to the malicious object in PDFExaminer reveals an external hyperlink to an remote executable:

Now opening the PDF reveals how a user could be exploited, but they still need to click a malicious link to download and exec…

Return of the Mime MSO, now with Macros

Didier Stevens at Sans ISC reported a new Mime MSO XML variant used in Dridex attacks which embeds a compressed OLE document (ActiveMime), with VBA auto open macros, within a Mime MSO XML document. Previously we've only seen CVE-2012-0158 delivered in Mime MSO (of which we've previously blogged).

Cryptam our document malware analysis tool has been updated to process the base64 stream and uncompress the ActiveMime data. We anticipate this attack vector to be adapted to APT type attacks as well. In addition to VBA macros, the MSO XML specs also allow for a OLE document to be embedded as well (we also now handle this type of embedding with Cryptam). The specs also allow some flexibility in the XML to be coded as Attributes or Elements. Sample report.

The following Yara signatures will detect Mime MSO XML files and some of the newly found obfuscation techniques:

rule mime_mso
    comment = "mime mso detection"
    author = " @mwtracker"