Document+PDF Malware Analysis

QuickSand Framework

QuickSand is a Python-based analysis framework to analyze suspected malware documents to identify exploits in streams of different encodings or compressions. QuickSand supports documents, PDFs, Mime/Email, Postscript and other common formats.

QuickSand supports Yara signatures within the decoded streams of documents and PDFs to identify exploits or high risk active content.


Use Cases

Stop breaches before they happen

Automate detection of malware in Office documents and PDF files. Identify malicious macros, embedded scripts, or exploits in documents. Stop threats before a breach.

Our View

Malicious active content makes up over half of the current malware documents and the majority of PDF malware we’ve seen in 2020. Phishing attachments can lead to ransomeware, financial theft or serious espionage from foreign states. QuickSand can detect these threats at the earliest stages - use QuickSand to check emails as they arrive or use QuickSand as a tool to scan suspicious files reported by users that antivirus can’t detect. Don’t be a breach victim, use QuickSand to augment your antivirus and other security solutions.

QuickSand is a Python Module that can be run as a fully on-premise command line tool, be wrapped in a web/db interface, or integrated into other products. Provide a file or stream of data and receive a risk rating, decide yourself what level of risk to allow. From criminal to advanced Advanced Persistent Threat (APT) threats we can provide early detection of new emerging threats and malware with otherwise low commercial antivirus detection (where rates of 12-20% on VirusTotal is common for document malware). Add your own Yara signatures for exploits in decoded streams or to identify exploit kits.

What is phishing?

Phishing is a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their company — and to click a link or download an attachment.

What really distinguishes phishing is the form the message takes: the attackers masquerade as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with. It’s one of the oldest types of cyberattacks, dating back to the 1990s, and it’s still one of the most widespread and pernicious, with phishing messages and techniques becoming increasingly sophisticated. Source CSO Online

The Stats

According to a March 2020 CSO Online report, Phishing attacks are again the top cause of security incidents:

Try QuickSand for free online or order an on-premise license now..

Risky content