Skip to main content

Understanding our online toolkit for phishing document/PDF forensics

Our 3 main online tools for forensic analysis of documents and PDFs are PDFExaminer, Cryptam and


Use PDFExaminer to decode or decrypt all the streams in a suspect PDF, and look for known exploits or active content such as JavaScript or Flash.


PDFExaminer will return a score of over 0 and under 10 for active content, don't trust a PDF with Active Content from emails. Some complicated forms like Passport applications will have a lot of Javascript but are safe. PDFExaminer allows an experienced analyst to drill down to view the actual Javascript. A score over 10 with a CVE-201XX-XXXX exploit ID are definitely bad, don't open those at all. See below "Cryptam and for all non-executable files" for more analysis you can do on a PDF to find obfuscated embedded executables.

Cryptam and for documents

Both  Cryptam and will parse all the various streams that can occur within an Office document such as Word, PowerPoint or Excel plus interchange formats such as RTF and mime MSO xml.


Scores of over 0 but under 10 indicate active content such as Macros or ActiveX controls- again don't trust active content from unknown sources or in emails. Scores over 10 usually mean a Macro executes a shell command or a CVE-20XX-XXXX known exploit was found.

Cryptam and for all non-executable files 

For non-executable files - documents, PDFs, images, TCP streams - Cryptam or attempt to find obfuscated embedded execuables - Windows, Mac, Linux binaries or VBS scripts. Both tools attack the XOR and ROL/ROR/NOT obfuscation using different cryptanalysis techniques and may get different results. Generally, the final results should be very similar between the two tools - if you do find a sample which returns different or no results in one tool but a positive malware in the other, please let us know.


For PDFs and non - documents, Cryptam and will only report if an embedded executable was found - a score of 0 on a PDF only means no executable was found - you'll still need to check the PDFExaminer results for PDF specific exploits. For Office documents, a score of 0 means no known exploits or embedded executables were found.

Errors and Feedback

Contact us if our tools may have missed something and you think a sample is bad, or if we detected something as bad that's actually safe.

Coming Soon to a Command Line Near You

A portable C command line version of, for free, with no web or internet dependencies.
We'll tell you where to find it on GitHub and how it differs from the full commercial version in the next post. Crack some of those pesky 256 byte XOR keys without uploading your secret stash of APT malware samples to us.


Popular posts from this blog

Tomato Garden Campaign - Possible Microsoft Office zero day in the wild used against Tibet and China Democracy activists

Update:  So far some of the samples are killed with ms12-060 but are not a known exploit, so this might be a new, but patched exploit. The purpose of this campaign might be to evade AV while going after users without the latest patch - all samples are at 7 or 8 of 43 max on VirusTotal.

We are currently examining 40 samples of an unconfirmed zeroday in Microsoft Office circulating against Pro Democracy and Tibet activists. One of the exploit documents contains a "PittyTiger" payload, however, several different payload implants have been observed. The exploit is contained in a .doc file but could be delivered via RTF as well. We've seen attacks since June 4 2013 using payloads compiled on May 28, and some of the command and control domains have been registered as late as today June 6 2013.

We have provided the samples to Microsoft and are awaiting confirmation.

We will release detection signatures for our Cryptam document malware scanner - free online scanning at Cryptam.… Open Source version released

Today we are officially launching an open source licensed version of - a C command line tool to scan document streams with Yara signatures for exploits and active content as well as Cryptanalysis attacks on XOR obfuscation. Dubbed QuickSand_Lite, this version initially does not include the full Cryptanalysis module, the brute force single byte XOR, or the XOR Look Ahead algorithm.

Github Repo

In addition to the code, we are also including Yara signatures for active content, executables, some CVE exploit identification as well as a selection of general document-related Yara signatures. We've enhanced our Yara signatures with a numeric score which is used to calculate the overall badness score of a sample. Generally 1-10 are active content such as macros, 10+ are exploits or shell commands executed via the active content.

Exploit and Active Content Detection
WordExcelPowerpointRTFMime MSO xmlEmails