Didier Stevens

Tuesday 29 September 2020

“Epic Manchego” And My Tools

Filed under: Announcement — Didier Stevens @ 0:00

Over the last months, I’ve been quite busy working with my colleagues on report “Epic Manchego – atypical maldoc delivery brings flurry of infostealers“: we’ve tracked an actor creating a new type of malicious Office document.

To help with the automatic analysis of all the maldocs produced by this actor (several per day), I added new features to existing tools and created new tools.

I’m releasing this work in the coming months (some has already been published: oledump.py and zipdump.py).


  1. Just a few minutes ago there was a new sample: Bazaar 430b0f7bdcbd48c46ce405797e74e37db99e2c453e8dd434eeb57eb9217b1781
    The VBA is very efficient

    Comment by No — Wednesday 30 September 2020 @ 8:13

  2. I’ll take a look.

    Comment by Didier Stevens — Wednesday 30 September 2020 @ 15:57

  3. Are the samples available somewhere to test existing protection tools on the local Webserver?

    Comment by iko — Wednesday 30 September 2020 @ 20:48

  4. Yes, all of the samples are on VirusTotal. And many samples are also available on malware bazaar (free download, no subscription). The samples’ hashes are listed in our report.

    Comment by Didier Stevens — Wednesday 30 September 2020 @ 20:50

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.