[SANS ISC] Finding Strings With oledump.py, (Sat, Jul 3rd)

In diary entry “CFBF Files Strings Analysis” I show how to extract strings from CFBF/ole files with my tool oledump.py.

What if you have found an interesting string, and want to know from which stream it was extracted? Like the URL extracted in my previous diary entry: hxxp://example[.]com/phishing

oledump has an option to check the content of streams with YARA rules: -y.

You could make a small YARA rule to search for example.com, save it to disk and use it as oledump’s -y value:

oledump.py -y rule.yara example.com

But you don’t need to create a file with a YARA rule, you can also do this from the command-line using “Ad Hoc rules“, like this:

With this result, we know that stream 2 and 8 contain string example.com:

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[ZDNet] This NPM package with millions of weekly downloads has fixed a remote code execution flaw

All posts, ZDNet

Developers running Node.js applications will need to check if they’re using the pac-resolver JavaScript library and update it if it hasn’t been updated recently. Source: Read More (Latest topics for ZDNet in Security)

Read More

[HackerNews] Cynet Empowers IT Resellers and Service Providers to Become Fully Qualified MSSPs

All posts, HackerNews

As cyber incidents increase in scope and impact, more and more organizations come to realize that outsourcing their defenses is the best practice—significantly increasing the Managed Security Service Provider (MSSP) market opportunities. Until recently, IT integrators, VARs, and MSPs haven’t participated in the growing and profitable MSSP market as it entailed massive investments in Source: […]

Read More

[BleepingComputer] Interpol intercepts $83 million fighting financial cyber crime

The INTERPOL (short for International Criminal Police Organisation) has intercepted $83 million belonging to victims of online financial crime from being transferred to the accounts of their attackers. […] Source: Read More (BleepingComputer)

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.