Office DDE With Rad Powershell Obfuscation
$ vti 55e2699721379352b0be2ea6b1c71257342d07efbe78c84d7257497f8f75e967
2017-10-16 19:51:47 INFO Starting VirusTotal Intelligence downloader
2017-10-16 19:51:47 INFO * VirusTotal Intelligence search: 55e2699721379352b0be2ea6b1c71257342d07efbe78c84d7257497f8f75e967
2017-10-16 19:51:47 INFO * Number of files to download: 100
2017-10-16 19:51:47 INFO Creating folder to store the requested files
2017-10-16 19:51:47 INFO Retrieving page of file hashes to download
2017-10-16 ...
Posted on October 17th, 2017
Microsoft Office DDE Poland Targeted Vortex Ransomware
pedram@PedBook:~/VXFarm/dde/day-5
$ vti bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9
2017-10-15 18:14:33 INFO Starting VirusTotal Intelligence downloader
2017-10-15 18:14:33 INFO * VirusTotal Intelligence search: bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9
2017-10-15 18:14:33 INFO * Number of files to download: 100
2017-10-15 18:14:33 INFO Creating folder to store the requested files
2017-10-15 18:14:33 INFO Retrieving page of file ...
Posted on October 15th, 2017
Microsoft Office DDE Freddie Mac Targeted Lure
Two more interesting samples came up from our hunts for Microsoft Office document Dynamic Data Exchange (DDE) payloads. For a quick jump into the conversation, the following Twitter "moment" captures relevant references and conversation surrounding the issue, detection, hunting, seen payloads, and mitigations:
https://twitter.com/i/moments/918126999738175489
Getting back to the sample, it's available at:
https://www.virustotal.com/en/file/313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71...
Posted on October 14th, 2017
Microsoft Office DDE SEC OMB Approval Lure
Two more interesting samples came up from our hunts for Microsoft Office document Dynamic Data Exchange (DDE) payloads. For a quick jump into the conversation, the following Twitter "moment" captures relevant references and conversation surrounding the issue, detection, hunting, seen payloads, and mitigations:
https://twitter.com/i/moments/918126999738175489
Getting back to the sample, it's available at:
https://www.virustotal.com/en/file/9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195...
Posted on October 14th, 2017
Microsoft Office DDE Macro-less Command Execution Vulnerability
On October 9th 2017, SensePost researchers posted a technique allowing for macro-less code execution from Microsoft Office documents through Dynamic Data Exchange (DDE). The following Twitter "moment" captures relevant references and conversation surrounding the issue, detection, hunting, seen payloads, and mitigations.
https://twitter.com/i/moments/918126999738175489
Hunting rule:
https://github.com/InQuest/yara-rules/blob/master/Microsoft_Office_DDE_Command_Execution.rule
Field ...
Posted on October 11th, 2017
hi.
First post via Evernote and delivered via http://postach.io. Let's check out some formatting...
bold
italic
underline
color changed
highlighted
Lists, with todo items:
do meand me
Note that the checkboxes above failed to render. How about a numeric lists:
wordtobig bird
Tried a colored/formatted source code paste from SublimeText Evernote plugin. Failed....
Picture test (Ritto as a puppy)...
FIN
-pedram
Posted on March 18th, 2016