Analyzing and debugging shellcode is a common task when performing malware analysis, exploit development and reverse engineering....

This article delves into tailoring Fakenet-NG's default web root, empowering you to craft a more precise and controlled environment for...

Malware authors often find creative ways to obfuscate and store their data and malicious office documents are no exception. One such...

While the abuse of OneNote documents is nothing new, a recent document I investigated revealed multiple payloads through the page...

Note: This blog was originally published on Feb 24, 2020 It’s common to see malicious office documents drop a JavaScript (JS) file to be...

I often encounter software, especially when performing malware analysis, that dynamically constructs it’s own import table. This can be...

The source code for this example can be found here. The assembly is: mov ebx, fs:[ 0x30 ] ; // get a pointer to the PEB mov ebx, [ ebx +...

Note - this was originally published in May of 2020 I recently came across a handful of malicious office documents (maldocs) whose...

In this video, we’ll look into installing OLEDUMP in Microsoft Windows. Microsoft office documents are a common vehicle used by malware...

In this video, we’ll explore a recent XLS document that drops and executes a DLL using RUNDLL32. The DLL is small and only used to...

On 11/10/2020, AnyRun posted an Emotet maldoc that utilized CertUtil to decode a DLL payload that was used for unpacking and running the...

With the recent resurgence of the use of Excel 4 macros in malicious excel documents, I’ve found myself scouring the internet looking for...

Occasionally I’ll encounter a maldoc that has a password-protected VBA project. While tools such as oledump may still extract the macros,...

Behavioral information is a key indicator used to determine if an office document is malicious or not. I’ve recently seen a series of...

A favorite technique by malware authors is to use macros in their office documents to utilize a normal system executable and replace the...

Malware authors are constantly coming up with new and clever techniques to help avoid detection. In this maldoc, the authors employed...

If you’re seeing DNS queries for teredo.ipv6.microsoft.com you may be interested in disabling it (more at MSDN and WikiPedia). On Windows...

This is a summary of initial (triage) analysis of Emotet droppers and the associated network traffic from the fall of 2019. This write-up...

If you’ve ever encountered the following dialog – you know that an application has crashed in Windows. As the dialog indicates, Microsoft...

According to this article on MSDN, Microsoft introduced the Network Connectivity Status Indicator in Windows Vista. While there may be a...