Josh StroscheinFeb 272 min readIdentifying UserForms with Oledump and OlevbaMalware authors often find creative ways to obfuscate and store their data and malicious office documents are no exception. One such...
Josh StroscheinFeb 152 min readOneNote Malware: Hidden Payloads in Page VersionsWhile the abuse of OneNote documents is nothing new, a recent document I investigated revealed multiple payloads through the page...
Josh StroscheinFeb 112 min readAnti-Analysis in JavaScript Executed by Windows Script Host (WSH)Note: This blog was originally published on Feb 24, 2020 It’s common to see malicious office documents drop a JavaScript (JS) file to be...
Josh StroscheinFeb 105 min readLocating DLL Name from the Process Environment Block (PEB)I often encounter software, especially when performing malware analysis, that dynamically constructs it’s own import table. This can be...
Josh StroscheinFeb 101 min readExploring the Process Environment Block (PEB) with WinDbgThe source code for this example can be found here. The assembly is: mov ebx, fs:[ 0x30 ] ; // get a pointer to the PEB mov ebx, [ ebx +...
Josh StroscheinFeb 82 min readMaldoc Uses Template Injection for Macro ExecutionNote - this was originally published in May of 2020 I recently came across a handful of malicious office documents (maldocs) whose...