Skip to main content


Showing posts from December, 2016 Open Source version released

Today we are officially launching an open source licensed version of - a C command line tool to scan document streams with Yara signatures for exploits and active content as well as Cryptanalysis attacks on XOR obfuscation. Dubbed QuickSand_Lite, this version initially does not include the full Cryptanalysis module, the brute force single byte XOR, or the XOR Look Ahead algorithm.

Github Repo

In addition to the code, we are also including Yara signatures for active content, executables, some CVE exploit identification as well as a selection of general document-related Yara signatures. We've enhanced our Yara signatures with a numeric score which is used to calculate the overall badness score of a sample. Generally 1-10 are active content such as macros, 10+ are exploits or shell commands executed via the active content.

Exploit and Active Content Detection
WordExcelPowerpointRTFMime MSO xmlEmails


Understanding our online toolkit for phishing document/PDF forensics

Our 3 main online tools for forensic analysis of documents and PDFs are PDFExaminer, Cryptam and

Use PDFExaminer to decode or decrypt all the streams in a suspect PDF, and look for known exploits or active content such as JavaScript or Flash.

ResultsPDFExaminer will return a score of over 0 and under 10 for active content, don't trust a PDF with Active Content from emails. Some complicated forms like Passport applications will have a lot of Javascript but are safe. PDFExaminer allows an experienced analyst to drill down to view the actual Javascript. A score over 10 with a CVE-201XX-XXXX exploit ID are definitely bad, don't open those at all. See below "Cryptam and for all non-executable files" for more analysis you can do on a PDF to find obfuscated embedded executables.

Cryptam and for documents
Both  Cryptam and will parse all the various streams that can occur within an Office document such as Word, PowerP…