Hacking Tools a

Published on December 20th, 2016 | 2,029 views Post Views

Analyze Suspected Malware Documents: QuickSand


QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.

 

File Formats For Exploit and Active Content Detection
  • doc, docx, docm, rtf, etc
  • ppt, pptx, pps, ppsx, etc
  • xls, xlsx, etc
  • mime mso
  • eml email

 

File Formats For Executable Detection
  • All of the above, plus PDF.
  • Any document format such as HWP.

 

Lite Version – Mplv2 License
  • Key dictionary up to 256 byte XOR
  • Bitwise ROL, ROR, NOT
  • Addition or substraction math cipher
  • Executable extraction: Windows, Mac, Linux, VBA
  • Exploit search
  • RTF pre processing
  • Hex stream extract
  • Base 64 Stream extract
  • Embedded Zip extract
  • ExOleObjStgCompressedAtom extract
  • zLib Decode
  • Mime Mso xml Decoding
  • OpenXML decode (unzip)
  • Yara signatures included: Executables, active content, exploits CVE 2014 and earlier

Example results and more info blog post

▼Advertisements

Dependencies

  • Yara 3.4+
  • zlib
  • libzip

 

Quick Start

  • ./build.sh
  • ./quicksand.out -h
  • ./quicksand.out malware.doc

 

DOCUMENTATION:

https://quicksand.io/

DOWNLOAD:

https://github.com/tylabs/quicksand_lite

Share on Facebook0Share on Google+1Tweet about this on TwitterShare on Reddit0Email this to someonePrint this pageShare on StumbleUpon0Digg thisPin on Pinterest0Share on LinkedIn8











Leave a Reply

Your email address will not be published. Required fields are marked *

Back to Top ↑

Read more:
Pinguy Builder — Remastersys Fork

The Pinguy Builder will create a installable ISO of your current system. You can then burn that ISO to a...

Close