The 2020 CSO Online survey revealed that 94% of malware is still delivered via email. We decided to refresh QuickSand.io into an all in one tool for analyzing both documents and PDFs for malware. Over the last few years the state of document and PDF malware has shifted dramatically from exploits to active content, exploiting the features of Office and PDF documents to deliver malware.
The web version of QuickSand.io is a simplified result to determine if the analyzed document has active content, high risk active content, or a potential exploit. We do recommend blocking active content from external email as much as possible.
Filesize: 10MB. Documents over 10MB (max 28s of processing) or PDFs over 5MB (max 18s of processing) may timeout on the online version. The timeout field is configurable on the software version of QuickSand.
Filetypes: Documents and PDFs. Remote links are not accessed and embedded executables are not analyzed.
How to interpret the results.
Metadata: This section has information about the file itself. Hashes that can be used to uniquely identify the file etc.
Similarity between documents can be an important tool to map attacks by the same actors or exploit kit.
- structhash: a unique 32 byte hash of a concatenated list of structural elements such as PDF objects or ole stream names.
- struzzy: A fuzzy hash for calculating Levenshtein distance between two document structures. Each structural element is represented by an alphanumeric code. More complex documents will have a longer string. Layout of this hash is a number followed by a string. (Element Total: Fuzzy hash).
- risk: plain language risk assessment: active content or exploit
- score: generally one point for obfuscation method/active content and 10 for an exploit based on the "rank" metadata field in our Yara rules.
This section is a list of objects or streams and exploits detected within.
- Yara rule: Name of rule that was detected
- description: Description of what the rule detected. (CVE or active content etc).
- strings: location offset within the stream, yara variable name: string content.
There is also a json link with more details for each report.