Released v1.3.3. of #Yaralyzer, my surprisingly popular tool for visualizing YARA rule matches with colors (a lot of colors).

1. --export-png images lets you export images of the analysis

2. almost all command line options (including multi argument ones like --yara-rules-dir) can be permanently set via environment variables or .yaralyzer file

3. couple of small bug fixes and debugging related command line options

You can try it on the web here: https://yaratoolkit.securitybreak.io/
(I didn't build this website, Thomas Roccia from Microsoft just integrated Yaralyzer into his existing site)

- Github: https://github.com/michelcrypt4d4mus/yaralyzer
- Pypi: https://pypi.org/project/yaralyzer/
- on macOS you can also get it with #Homebrew by installing Pdfalyzer: brew install pdfalyzer

#ascii #asciiArt #blueteam #cybersecurity #detectionEngineering #DFIR #forensics #FOSS #GPL #hacking #infosec #KaliLinux #maldoc #malware #malwareAnalysis #malwareDetection #openSource #pypi #python #redteam #reverseEngineering #reversing #Threatassessment #threathunting #YARA #YARArule #YARArules

Released v1.17.0 of The Pdfalyzer, the surprisingly popular tool for analyzing (possibly malicious) PDFs I created after my own unpleasant experience. Now ships with two command line tools for extracting stuff from PDF files:

1. extract_text_from_pdfs() - brute force extract all text from a PDF, including doing an #OCR extraction of any embedded images

2. extract_pdf_pages() - rip a page range from a #PDF and write them to a new one

* Github: https://github.com/michelcrypt4d4mus/pdfalyzer
* Pypi: https://pypi.org/project/pdfalyzer/
* Homebrew: https://formulae.brew.sh/formula/pdfalyzer
* Fun thread someone made last week using Pdfalyzer to explain some of how byzantine the PDF format is: https://x.com/VikParuchuri/status/1965773078585344215

#pypi #python #pdf #pdfs #malware #Threatassessment #maldoc #malwareanalysis #homebrew #infosec #cybersecurity #yararule #PdfFies

Used some #AI to jury rig a basic API documentation site for The Yaralyzer, my unexpectedly popular tool for visualizing and forcibly decoding #YARA matches in binary data.

* GitHub: https://github.com/michelcrypt4d4mus/yaralyzer
* PyPi: https://pypi.org/project/yaralyzer/
* API documentation: https://michelcrypt4d4mus.github.io/yaralyzer/api/
* Can also be installed (indirectly) via homebrew if you install The #Pdfalyzer (different tool)

#ascii #asciiArt #blueteam #cybersecurity #detectionengineering #DFIR #forensics #FOSS #hacking #infosec #KaliLinux #malware #malwareDetection #malwareAnalysis #openSource #pdfalyzer #redteam #reverseEngineering #reversing #threathunting #yaralyze #yaralyzer #YARA #YARArule #YARArules

Just released version 1.16.8 of The Pdfalyzer with a bunch of new and updated #YARA rules to scan #PDF files for malicious content. Links in the quoted toot below.

https://universeodon.com/@cryptadamist/114768170683991686

#ascii #asciiArt #blueteam #cybersecurity #detectionEngineering #DFIR #forensics #FOSS #hacking #homebrew #infosec #KaliLinux #malware #malwareDetection #malwareAnalysis #openSource #pdf #pdfs #pdfalyzer #pypi #python #redteam #reverseEngineering #reversing #Threatassessment #threathunting #yaralyze #yaralyzer #YARA #YARArule #YARArules

just released version 1.0.1 of The Yaralyzer, my unexpectedly popular tool for visualizing and forcibly decoding #YARA matches in binary data. Fixes a small bug when trying to choose a byte offset to force a UTF-16 or UTF-32 decoding of matched bytes.

someone set up Yaralyzer as a #Kali package; not sure if that's made it into a release yet but if not the links are below.

https://universeodon.com/@cryptadamist/113642071681749608

#ascii #asciiArt #blueteam #cybersecurity #detectionengineering #DFIR #forensics #FOSS #hacking #infosec #KaliLinux #malware #malwareDetection #malwareAnalysis #openSource #pdfalyzer #redteam #reverseEngineering #reversing #threathunting #yaralyze #yaralyzer #YARA #YARArule #YARArules

Just published version 1.16.6 of The Pdfalyzer, the surprisingly popular tool for analyzing (possibly malicious) PDFs I created after my own unpleasant encounter with such a creature. Includes a (kind of janky) #YARA rule for #GIFTEDCROOK infostealer PDFs.

* Github: https://github.com/michelcrypt4d4mus/pdfalyzer
* Pypi: https://pypi.org/project/pdfalyzer/
* Homebrew: https://formulae.brew.sh/formula/pdfalyzer

#pypi #python #pdf #pdfs #malware #Threatassessment #maldoc #malwareanalysis #homebrew #infosec #cybersecurity #yararule

"🛡️ Mitigation Tips Against Stealthy VBA Macros 📝"**

To protect against these stealthy VBA macros, consider disabling macros in Microsoft Office and restricting execution to trusted sources. 🚫📄

Educate users about the risks associated with enabling macros and employ robust email gateways for scanning attachments. 🎓📧

A YARA rule is also available to flag potential threats without relying on PDF header checks. 🚩🔍

key points:

Malicious Word Document in a PDF-like Header: The malicious Word document is concealed within a PDF-like header that contains the signature %PDF-1.7, typically associated with PDF files.

MIME Encapsulation of HTML Documents: Within the fake PDF structure, there is a MIME encapsulation of aggregate HTML documents (MHTML Web Archive) that contains an embedded Base64 encoded ActiveMIME object. ActiveMIME is an undocumented Microsoft file format often used to store VBA Macros.

Obfuscation Techniques: Various obfuscation techniques are employed to evade detection based on signatures. These include the use of a non-compliant MIME type, fragmentation of Base64 encoded strings, and URL percent-encoded strings to obscure links.

PDF Header Not Required: Interestingly, the embedded MHT document file doesn't actually require a PDF header. Any text preceding the MHT file allows Microsoft Word to open the document file and execute the malicious macro if enabled.

Evasion of Signature-Based Detection: This technique can evade signature-based detection systems that specifically scan for a PDF header. The analysis shows a significant difference in detection rates between samples with and without the fake PDF header.

Mitigation Advice: To protect users from such threats, the summary provides several mitigation recommendations, including configuring Microsoft Office to disable macros by default, restricting macro execution to trusted sources, educating users about macro risks, and using robust email gateways for scanning attachments.

YARA Rule: A YARA rule is provided to identify potential malicious macros embedded in files without conducting PDF header checking. This rule checks for specific strings and patterns within files to flag potential threats.

Source: Trustwave SpiderLabs Blog

Tags: #Cybersecurity #Mitigation #UserEducation #YARARule #Trustwave #SpiderLabs #EmailSecurity 🌐🔐🛡️