Here is an overview of content I published in 2019:
Blog posts:
- Update: msoffcrypto-crack.py Version 0.0.2
- Update: msoffcrypto-crack.py Version 0.0.3
- Update: cut-bytes.py Version 0.0.9
- Update: oledump.py Version 0.0.41
- Update: translate.py Version 2.5.5
- Update: pdf-parser.py Version 0.7.0
- Update: pdf-parser.py Version 0.7.1
- Analyzing a Phishing PDF with /ObjStm
- Update: re-search.py Version 0.0.13
- Update: oledump.py Version 0.0.42
- Maldoc: Excel 4.0 Macro
- Quickpost: PDF Tools Download Feature
- Update: pecheck.py Version 0.7.6
- list-interfaces.xlsm
- Quickpost: Browsers & Content-Disposition
- Extracting “Stack Strings” from Shellcode
- Update: translate.py Version 2.5.6
- Update: python-per-line.py Version 0.0.6
- Update: format-bytes.py Version 0.0.8
- Update: jpegdump.py Version 0.0.7
- Quickpost: Retrieving an SSL Certificate with nmap
- WebDAV, NTLM & Responder
- DSSuite: A Docker Container With My Tools
- Update: zipdump Version 0.0.15
- Update: hex-to-bin.py Version 0.0.2
- Update: sets.py Version 0.0.3
- Quickpost: C Random Functions in Other Languages
- Update: virustotal-search.py Version 0.1.5
- New Tool: amsiscan.py
- Quickpost: nslookup Types
- Update: format-bytes.py Version 0.0.9
- Quickpost: tcp-honeypot.py & Browser Tests
- Update: pdf-parser.py Version 0.7.2
- Downloading Executables Over DNS: Capture Files
- Update: msoffcrypto-crack.py Version 0.0.4
- Update: hash.py Version 0.0.7
- Update: pecheck.py Version 0.7.7
- Update: hex-to-bin.py Version 0.0.3
- Update: strings.py Version 0.0.4
- Update Of My PDF Tools
- Shark Jack Capture File
- PowerShell, Add-Type & csc.exe
- New Tool: simple_tcp_stats.py
- Quickpost: ExifTool, OLE Files and FlashPix Files
- Update: pecheck.py Version 0.7.8
- Quickpost: Compiling Service DLLs with MinGW on Kali
- Quickpost: Running a Service DLL
- Update: cut-bytes.py Version 0.0.10
- Update: numbers-to-string.py Version 0.0.10
- Update: format-bytes.py Version 0.0.10
- Steganography and Malware
- Update: tcp-honeypot.py Version 0.0.7
- Update: numbers-to-string.py Version 0.0.9
- Update: oledump.py Version 0.0.43
- Analyzing .DWG Files With Embedded VBA Macros
- Update: oledump.py Version 0.0.44
- zoneidentifier.exe
- Update: zipdump.py Version 0.0.16
- Update: pdf-parser.py Version 0.7.4 and pdfid.py Version 0.2.7
- YARA “Ad Hoc Rules”
YouTube videos:
- msoffcrypto-crack
- Analyzing a Simple HTML Phishing Attachment
- Maldoc Analysis of the Weekend
- Finding Property Values in Office Documents
- PDF: Stream Objects (/ObjStm)
- Analyzing a Phishing PDF with /ObjStm
- Maldoc: Excel 4.0 Macro
- Maldoc Analysis: Excel 4.0 Macro
- Analysis of PDFs Created with OpenOffice/LibreOffice
- nmap Service Detection Customization
- Analyzing Compressed PowerShell Scripts
- Analyzing DAA Files
- Encrypted Sextortion PDFs
- Analyzing .DWG Files With Embedded VBA Macros
- AutoCAD & VBA
Videoblog posts:
- msoffcrypto-crack
- Analyzing a Simple HTML Phishing Attachment
- Maldoc Analysis of the Weekend
- Finding Property Values in Office Documents
- PDF: Stream Objects (/ObjStm)
- Analyzing a Phishing PDF with /ObjStm
- Maldoc: Excel 4.0 Macro
- Maldoc Analysis: Excel 4.0 Macro
- Analysis of PDFs Created with OpenOffice/LibreOffice
- nmap Service Detection Customization
- Analyzing Compressed PowerShell Scripts
- Analyzing DAA Files
- Encrypted Sextortion PDFs
- Analyzing .DWG Files With Embedded VBA Macros
- AutoCAD & VBA
SANS ISC Diary entries:
- Make a Wheel in 2019!
- Maldoc with Nonfunctional Shellcode
- A Malicious JPEG?
- A Malicious JPEG? Second Example
- Malicious .tar Attachments
- Analyzing Encrypted Malicious Office Documents
- Quick Maldoc Analysis
- Suspicious GET Request: Do You Know What This Is?
- Video: Analyzing Encrypted Malicious Office Documents
- Video: Analyzing a Simple HTML Phishing Attachment
- Maldoc Analysis of the Weekend
- Video: Maldoc Analysis of the Weekend
- Have You Seen an Email Virus Recently?
- Finding Property Values in Office Documents
- Video: Finding Property Values in Office Documents
- Know What You Are Logging
- Identifying Files: Failure Happens
- Sextortion Email Variant: With QR Code
- Maldoc Analysis by a Reader
- Quick and Dirty Malicious HTA Analysis
- Wireshark 3.0.0 and Npcap
- Tip: Ghidra & ZIP Files
- Maldoc: Excel 4.0 Macros
- Video: Maldoc Analysis: Excel 4.0 Macro
- Wireshark 3.0.0 and Npcap: Some Remarks
- “VelvetSweatshop” Maldocs
- Decoding QR Codes with Python
- “VelvetSweatshop” Maldocs: Shellcode Analysis
- “404” is not Malware
- Maldoc Analysis of the Weekend by a Reader
- Analysis of PDFs Created with OpenOffice/LibreOffice
- Analyzing UDF Files with Python
- .rar Files and ACE Exploit CVE-2018-20250
- Malicious VBA Office Document Without Source Code
- Quick Tip for Dissecting CVE-2017-11882 Exploits
- VBA Office Document: Which Version?
- Text and Text
- Do You Remember the SUBST Command?
- Video: nmap Service Detection Customization
- nmap Service Fingerprint
- Office Document & BASE64? PowerShell!
- Analyzing First Stage Shellcode
- Retrieving Second Stage Payload with Ncat
- Tip: BASE64 Encoded PowerShell Scripts are Recognizable by the Amount of Letter As
- Tip: Sysmon Will Log DNS Queries
- Sysmon Version 10: DNS Logging
- Maldoc: Payloads in User Forms
- A “Stream O” Maldoc
- Machine Code?
- Malicious XSL Files
- Machine Code? No!
- isodump.py and Malicious ISO Files
- Malicious RTF Analysis CVE-2017-11882 by a Reader
- Analyzing Compressed PowerShell Scripts
- A Python TCP proxy
- Video: Analyzing Compressed PowerShell Scripts
- Recognizing ZLIB Compression
- Detecting ZLIB Compression
- Nmap Defcon Release: 7.80
- Malicious .DAA Attachments
- Analysis of a Spearphishing Maldoc
- The DAA File Format
- Video: Analyzing DAA Files
- Compressed ISO Files (ISZ)
- Encrypted Sextortion PDFs
- Wireshark 3.0.5 Release: Potential Windows Crash when Updating
- Video: Encrypted Sextortion PDFs
- YARA XOR Strings: an Update
- Encrypted Maldoc, Wrong Password
- Maldoc, PowerShell & BITS
- YARA v3.11.0 released
- YARA’s XOR Modifier
- Wireshark 3.0.6 Released
- Using scdbg to Find Shellcode
- Tip: Password Managers and 2FA
- Remark on EML Attachments
- You Too? “Unusual Activity with Double Base64 Encoding”
- Wireshark 3.0.7 Released
- (Lazy) Sunday Maldoc Analysis
- (Lazy) Sunday Maldoc Analysis: A Bit More …
- VirusTotal Email Submissions
- Malicious .DWG Files?
- Wireshark 3.2.0 Released
- Extracting VBA Macros From .DWG Files
- New oledump.py plugin: plugin_version_vba
- Corrupt Office Documents
NVISO blog posts:
Didier Stevens 
Good work
… but I think not all of these working on Linux … see the last version of oledump.py
[mythcat@desk oledump_V0_0_42]$ python oledump.py ../Downloads/test_file.docx
File “oledump.py”, line 977
exec open(plugin, ‘r’) in globals(), globals()
^
SyntaxError: invalid syntax
Comment by Cătălin George Feștilă — Friday 3 January 2020 @ 11:00
Ah no, oledump works on Linux & OSX. The problem here is that you’re using an older version that doesn’t yet support Python 3. Use the latest version and it will work.
Comment by Didier Stevens — Sunday 12 January 2020 @ 9:42