beaker logo [document malware analysis]

sink document exploits

TyLabs specializes in tools to analyze and detect exploits and statically extract embedded executables from office documents and PDFs commonly used in targeted phishing attacks.

QuickSand.io

QuickSand

QuickSand is a C API and command line tool to statically decode and analyze streams of office documents for exploits, and uses a cryptanalysis attack to detect and extract embedded executables. Similar functionality to Cryptam, but with faster single pass cryptanalysis attack XOR 20-10/+ROL/ROR with automatic or user supplied entropy zone detection. Additional optional ciphers - addition/subtraction and user chosen any XOR length. Optional ciphers - bitwise not, xor lookahead, and single byte brute force+ROL/ROR. Use Yara exploit and active content signatures deeper into document file streams within streams that normal static surface scans and Antivirus can miss. Try it at QuickSand.io or download the open source command line version quicksand_lite.

PDFExaminer

PDFExaminer is a PHP web application and command line tool to decode and decrypt PDF streams for analyst review as well as detect exploits and obfuscation. Try it at PDFExaminer.com.

Cryptam

Cryptam is a PHP web application and command line tool to statically analyze streams of office documents for exploits, and uses a multiple-pass cryptanalysis attack to detect and extract embedded executables. Try it at Cryptam.com.

Product Comparison

Stream Product Versions Exploit CVE ID Unsafe Content Extract Executables
PDFs PDFExaminer PHP cli, web+MySQL x (PDF) JavaScript, Flash  
Documents QuickSand C cli, C api, web+MySQL x (Office) Active content, Flash, Macros x (doc/PDF)
Documents Cryptam PHP cli, web+MySQL x (Office) Active content, Flash, Macros x (doc/PDF)

QuickSand vs Cryptam Feature Comparison

Feature QuickSand Cryptam
source code C PHP
versions CLI/PHP Web MySQL CLI/Web MySQL
unxor Factors of 1024, chosen length Factors of 1024
rol/ror 1-7 1-7
signature Yara: complex/text/hex/regex text/hex/regex
addition/subtraction math cipher 1-255
single byte brute force optional automatic
bitwise not optional automatic
xorla xor lookahead cipher optional automatic
output json/text text
unzip libzip external
mime/mso base 64 y y
ExOleObjStgCompressedAtom GZInflate y y
XML encapsulated OLE zlib stream GZInflate y y
ActiveMime GZUncompress y y
Enhanced RTF decode y y
Use your own Yara Trojan signatures y y
structhash for similarity y n