Office document malware analysis
+cryptanalysis attack on 256 byte XOR obfuscation (20-10 bytes)
+static extraction of embedded executables

Try brute force all 1 byte XOR+ROL | Try xor lookahead algo (xorla) | rerun existing sample

[Hash Search] | [Recent Reports] | [Advanced Search]

QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.

QuickSand can be run as a command line tool, be wrapped in a web/db interface, or integrated into other products. It can be used as an exploit detection engine, a sandbox pre-processor, or a forensic tool to extract document malware streams. Fingerprint exploit kit usage by exploit location and offset. Run Yara malware trojan signatures on exploit documents against dynamically decoded streams and unXORed executables.

Web API:

On GitHub now.

Free standalone command line version:

On GitHub - quicksand_lite project.

Detailed blog post.


Zip stream within an OLE document [html] [json]:

32 byte XOR encoded executable [html] [json]:

OpenXML docx file with a PostScript exploit and multiple embedded EXEs in hex streams [html] [json]:

Simple scoring:


Sandbox pre-processing benefits:

Exploit detection and embedded executable detection:

Embedded executable detection:

Stream decoding:

Static Library Dependencies:

Build from source:

Command line options:


Industry standard Yara rules for known exploit detection:

Example rule, rank variable is used to score a sample.


#include "libqs.c"
quicksandInit(); //initialize system
struct qs_file *qs_root = NULL;

quicksand_do(string, fsize, quicksand_build_message("root", NULL, &qs_root, QS_FILE_CHILD), &qs_root);  //process string of size fsize
char *buffer = malloc(24000);
quicksandGraph(buffer, 24000, 0, qs_root); // create report
printf("%s", buffer); //print report
quicksandDropFiles(qs_root, &qs_root);
quicksandReset(&qs_root); //cleanup between samples
quicksandDestroy(); //final cleanup

Subscriptions & maintenance:


Operated by Malware Tracker Limited.

QuickSand.io software by TyLabs.