A few different malware families have included Excel XLL add-in files as distribution mechanisms lately. These include IcedID and some commodity threats that HP’s security team documented as using ...

It’s been a little while since I checked in on Emotet to see how its first stage loaders are doing. Lately the first stage has been using Excel 4.0 macros to drop payloads, so in this post I’ll wal...

There are loads of different ways adversaries can distribute Cobalt Strike beacons and other malware. One of the common methods includes using HTML Application (HTA) files. In this post I’m going t...

In this post I want to take a look at a PowerShell-based Cobalt Strike beacon that appeared on MalwareBazaar. This particular beacon is representative of most PowerShell Cobalt Strike activity I se...

In this post I want to walk through analysis of a malicious PowerPoint file using olevba. This tool allows you to view macros within Office documents without opening them. If you want to follow alo...

In this post I want to walk through a process of using the NodeJS REPL (Read, Eval, Print Loop) to safely decode portions of malware during analysis. If you want to follow along at home, the sample...

In this post I’m going to take a look at a couple of simple YARA rules that excited me during my daily analysis tasks. These rules were inspired by the #100DaysOfYARA hashtag, and if you’re not fol...

Packing is really commonly used by adversary to stump analysis, so in this post I’m going to look at a sample that is really easy to unpack and get indicators from. In this case the sample is Mirai...

In this post I want to look at two script files that drop Agent Tesla stealers on affected systems and show how adversary decisions affect malware analysis and detection. If you want to follow alon...

In this post I’ll work through analyzing an AppX package from Magnitude Exploit Kit that drops Magniber. This adventure comes courtesy of a tweet from @JAMESWT_MHT: Some #Magniber sampleshttps://t...