Today we made another 'technological leap' with VxStream Sandbox related
to PDF analysis. As most of you surely know, PDF phishing campaigns are
a very popular attack vector (invoice/mail tracking PDF with a link to
the malicious file). The new version of VxStream
is capable of parsing PDF file structure and pulls out URLs it finds.
Not only that, but it will also download files at the URLs and execute
them if they are supported by the environment. If the downloaded file is
a zip archive, it will even unpack it before
analysis. Sounds good? :) It is!
Anyway, the feature is very new and does not work with the 'Stealthy
Mode' yet, so you may have mixed experiences. The online service is
updated with it and here is a first report of a PDF file that ran with
the new feature:
Please take note of three things:
- The signature 'The input sample dropped a file that was identified as malicious' (that's the .exe file behind the malicious URL)
- The signature 'Found potential URL in binary/memory', which contains the malicious URL (it's still online, so beware; hxxp://www.sarnfields.co.uk/mcP5sr8XS4)
- The dropped file was actually executed (see 'Hybrid Analysis' section, click on the process)
The sample is available for download at the report (see link at the top)
SHA256: 11edf9436a9205c88c2a815cf6ebfb0a7a42eb150a2649766b3bb30350ee35ed
Windows 10 Insider Preview
Another part we have been working on (but not on the public servers yet) is Windows 10 compatibility. Here is a first run of the latest benchmark tool 'Pafish' on Windows 10 'Insider Preview':
The new background image is really cool, don't you think? :-)
