Automate detection of malware in Office documents and PDF files. Identify malicious macros, embedded scripts, or exploits in documents. Stop threats before a breach.
Detection: QuickSand can dig deeper into document streams and encodings to detect malware normal AV may miss.
Reduce Risk: Detect active content that could access private information within your organization.
Threat Intelligence: Use QuickSand’s similarity features to identify documents from the same actors or exploit kit. Define attribution through TTPs.
Save Time: Use QuickSand results to determine the CVE vulnerability corresponding to the version or Office or PDF software to use in a Dynamic Sandbox to achieve exploitation so that network IOCs can be extracted.
Common Language: Determine exploits by CVE and Mitre Attack Techniques to map your adversary’s TTPs quickly and efficiently.
QuickSand is an analysis framework to analyze suspected malware documents to identify exploits in streams of different encodings or compressions. QuickSand supports documents, PDFs, Mime/Email, Postscript and other common formats.
QuickSand supports Yara signatures within the decoded streams of documents and PDFs to identify exploits or high risk active content.
Decode and decompress streams in OLE (Microsoft Word doc/Excel xls/Powerpoint ppt), OpenXML (Word docx/Excel xlsx/Powerpoint pptx), Hangul HWP, Adobe Reader PDF, Rich Text Format RTF, Postscript, Mime Emails, MSO, Adobe XML Data Package .XDP PDF.
Scan with Yara within streams and sub-files.
Detect and define CVE ID for known exploits.
Define Mitre Att&ck framework technique IDs for each exploit.
Handle nested formats and nested encapsulation.
Includes updates and exploit signature updates.
According to a March 2020 CSO Online report, Phishing attacks are again the top cause of security incidents:
94% of malware is delivered via email
Phishing attacks account for more than 80% of reported security incidents
$17,700 is lost every minute due to phishing attacks
60 percent of breaches involved vulnerabilities for which a patch was available but not applied
63 percent of companies said their data was potentially compromised within the last twelve months due to a hardware- or silicon-level security breach
Data breaches cost enterprises an average of $3.92 million
Phishing is a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need — a request from their bank, for instance, or a note from someone in their company — and to click a link or download an attachment.
What really distinguishes phishing is the form the message takes: the attackers masquerade as a trusted entity of some kind, often a real or plausibly real person, or a company the victim might do business with. It’s one of the oldest types of cyberattacks, dating back to the 1990s, and it’s still one of the most widespread and pernicious, with phishing messages and techniques becoming increasingly sophisticated. Source CSO Online
Malicious active content makes up over half of the current malware documents and the majority of PDF malware we’ve seen in 2020. Phishing attachments can lead to ransomeware, financial theft or serious espionage from foreign states. QuickSand can detect these threats at the earliest stages - use QuickSand to check emails as they arrive or use QuickSand as a tool to scan suspicious files reported by users that antivirus can’t detect. Don’t be a breach victim, use QuickSand to augment your antivirus and other security solutions.
QuickSand is a Python Module that can be run as a fully on-premise command line tool, be wrapped in a web/db interface, or integrated into other products. Provide a file or stream of data and receive a risk rating, decide yourself what level of risk to allow. From criminal to advanced Advanced Persistent Threat (APT) threats we can provide early detection of new emerging threats and malware with otherwise low commercial antivirus detection (where rates of 12-20% on VirusTotal is common for document malware). Add your own Yara signatures for exploits in decoded streams or to identify exploit kits.