Philippe Lagadec

@decalage
1,066 Followers
289 Following
257 Posts
Author of open-source projects oletools, olefile, ViperMonkey, ExeFilter, Balbuzard. Posting about #DFIR, #malware analysis, maldocs, file formats and #Python.
https://linktr.ee/decalage
Websitehttps://www.decalage.info
Githubhttps://github.com/decalage2
Twitterhttps://twitter.com/decalage2
Twittodonhttps://twittodon.com/share.php?t=decalage2&[email protected]
Philippe LagadecFeb 6
How can we detect malicious documents exploiting CVE-2026-21509, the recent 0-day vulnerability in MS Office ?
=> I designed a YARA rule for this, which detects all the malicious files that have been reported.
I also improved oletools to analyze those files and see the suspicious URLs.
You can find the YARA rule and all the explanations about that vulnerability on my website https://decalage.info/CVE-2026-21509/
Show threadPhilippe LagadecJul 11, 2024
Other issues to keep in mind when using CommonCrawl:
Show threadPhilippe LagadecJul 11, 2024
Then you can run the tool for a few hours, and it will download thousands of files matching the mimetypes (mostly).
Some post-processing is needed after the download, as shown in the slides:
Show threadPhilippe LagadecJul 11, 2024
The second step is to edit the config file with those parameters. For example this one will download EXE files from the crawl CC-MAIN-2018-34:
Show threadPhilippe LagadecJul 11, 2024
The first step is to pick the right mimetypes to get the files you need:
Get mimetypes-detected.csv from https://commoncrawl.github.io/cc-crawl-statistics/plots/mimetypes
Also pick the crawl ids from that CSV file.
Statistics of Common Crawl Monthly Archives by commoncrawl

Philippe LagadecDec 15, 2023
Does anybody remember which Windows or Office update changed the *default* behavior of the OLE Packager to block executables files, as described on this page? : https://support.microsoft.com/en-us/office/packager-activation-in-office-365-desktop-applications-52808039-4a7c-4550-be3a-869dd338d834?ui=en-us&rs=en-us&ad=us
The build version or KB number is not mentioned in the article. It was at least April 2020.
Packager Activation in Office 365 desktop applications - Microsoft Support

To improve your security Microsoft Office now blocks activation of high risk extensions. This article explains why and offers instructions on how to unblock them if you really need to.

Philippe LagadecFeb 28, 2023

RT @pedramamini
New @InQuest blog post covering the recent rise of Microsoft OneNote as a malware carrier:

https://inquest.net/blog/2023/02/27/youve-got-malware-rise-threat-actors-using-microsoft-onenote-malicious-campaigns

We cover the timeline, campaigns, and tools. You can find downloadable samples and YARA detection logic at:

https://github.com/InQuest/malware-samples/tree/master/2023-02-OneNote

https://github.com/InQuest/yara-rules-vt/blob/main/Microsoft_OneNote_with_Suspicious_String.yar

You’ve Got Malware: The Rise of Threat Actors Using Microsoft OneNote for Malicious Campaigns

are our insights into aspects of the threat landscape and tips organizations should consider to protect users and their data.

inquest.net
Philippe LagadecFeb 13, 2023

RT @DissectMalware
#pyOneNote v0.0.1 is now on #PyPI
pip install pyonenote

It prints:
1⃣ header fields
2⃣ all metadata (i.e. all PropertySets such as jcidEmbeddedFileNode, jcidImageNode)
3⃣ embedded files

and also dumps all embedded files

https://github.com/DissectMalware/pyOneNote

related https://twitter.com/DissectMalware/status/1622426990400913408

GitHub - DissectMalware/pyOneNote

Contribute to DissectMalware/pyOneNote development by creating an account on GitHub.

GitHub
Philippe LagadecFeb 12, 2023
RT @angealbertini
A .one file header
Philippe LagadecFeb 11, 2023
RT @angealbertini
An LNK shortcut.