QuickSand.io – Tool For Scanning Streams Within Office Documents Plus Xor DB Attack

QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.File Formats For Exploit and Active Content Detectiondoc, docx, docm, rtf, etcppt, pptx, pps, ppsx, etcxls, xlsx, etcmime msoeml emailFile Formats For Executable DetectionAll of the above, plus PDF.Any document format such as HWP.Lite Version – Mplv2 LicenseKey dictionary up to 256 byte XORBitwise ROL, ROR, NOTAddition or substraction math cipherExecutable extraction: Windows, Mac, Linux, VBAExploit searchRTF pre processingHex stream extractBase 64 Stream extractEmbedded Zip extractExOleObjStgCompressedAtom extractzLib DecodeMime Mso xml DecodingOpenXML decode (unzip)Yara signatures included: Executables, active content, exploits CVE 2014 and earlierExample results and more info blog postFull Version – Commercial LicenseKey cryptanalysis 1-1024 bytes factors of 2; or a specified odd size 1-1024 bytes1 Byte zerospace not replaced brute force XOR searchXOR Look Ahead cipherMore Yara signatures included: All lite plus most recent exploits 2014-2016 for CVE identificationTry the full version online at QuickSand.ioDependencies (not included)Yara 3.4+zlib 1.2.1+libzip 1.1.1+Distributed components under their own licensingMD5 by RSA Data Security, Inc.SHA1 by Paul E. JonesSHA2 by Aaron D. GiffordjWrite by TonyWilk for json outputtinydir by Cong Xu, Baudouin Feildel for directory processingQuick Start./build.sh./quicksand.out -h./quicksand.out malware.docDocumentationQuickSand.ioDownload QuickSand

Link: http://feedproxy.google.com/~r/PentestTools/~3/iIjwIrdBxC0/quicksandio-tool-for-scanning-streams.html