Skip to main content

QuickSand 2

The 2020 CSO Online survey revealed that 94% of malware is still delivered via email. We decided to refresh into an all in one tool for analyzing both documents and PDFs for malware. Over the last few years the state of document and PDF malware has shifted dramatically from exploits to active content, exploiting the features of Office and PDF documents to deliver malware.

The web version of is a simplified result to determine if the analyzed document has active content, high risk active content, or a potential exploit. We do recommend blocking active content from external email as much as possible.

Get Started

On any page on click the `Choose File` button under the logo on the left, then select the file to scan. Click `Scan Document or PDF` to start the analysis. Javascript is required to upload the file.


Filesize: 10MB. Documents over 10MB (max 28s of processing) or PDFs over 5MB (max 18s of processing) may timeout on the online version. The timeout field is configurable on the software version of QuickSand.

Filetypes: Documents and PDFs. Remote links are not accessed and embedded executables are not analyzed.

How to interpret the results.

Metadata: This section has information about the file itself. Hashes that can be used to uniquely identify the file etc.


Similarity between documents can be an important tool to map attacks by the same actors or exploit kit.

  • structhash: a unique 32 byte hash of a concatenated list of structural elements such as PDF objects or ole stream names.
  • struzzy: A fuzzy hash for calculating Levenshtein distance between two document structures. Each structural element is represented by an alphanumeric code. More complex documents will have a longer string. Layout of this hash is a number followed by a string. (Element Total: Fuzzy hash). 


  • risk: plain language risk assessment: active content or exploit
  • score: generally one point for obfuscation method/active content and 10 for an exploit based on the "rank" metadata field in our Yara rules.

Detailed Results

This section is a list of objects or streams and exploits detected within.

  • Yara rule: Name of rule that was detected
  • description: Description of what the rule detected. (CVE or active content etc).
  • strings: location offset within the stream, yara variable name: string content.

There is also a json link with more details for each report.


Popular posts from this blog

Signature Dev using for RTF zero day CVE-2017-8759

After reading the FireEye blog on CVE-2017-8759 we decided to quickly write a signature for the new (though not yet widely used, and now patched) zero day. We decided to use, naturally.

First we searched for the FireEye reported hash fe5c4d6bb78e170abf5cf3741868ea4c in

The first hex block looks interesting:
Clicking the sha256 link brings up the hex view, it's a OLE document embedded in the RTF. We can see a wsdl link and the highlighted hex turns out to be part of the class id, rendered as c7b0abec-197f-d211-978e-0000f8757e2a. Reversing the first three block's byte order comes out to the SoapMoniker class ID ECABB0C7-7F19-11D2-978E-0000F8757E2A

This handy list reveals the SoapMoniker class:

After some testing, we pushed out a CVE-2017-8759 signature to and the free open source version.