File Formats For Exploit and Active Content Detection
- doc, docx, docm, rtf, etc
- ppt, pptx, pps, ppsx, etc
- xls, xlsx, etc
- mime mso
- eml email
File Formats For Executable Detection
- All of the above, plus PDF.
- Any document format such as HWP.
Lite Version - Mplv2 License
- Key dictionary up to 256 byte XOR
- Bitwise ROL, ROR, NOT
- Addition or substraction math cipher
- Executable extraction: Windows, Mac, Linux, VBA
- Exploit search
- RTF pre processing
- Hex stream extract
- Base 64 Stream extract
- Embedded Zip extract
- ExOleObjStgCompressedAtom extract
- zLib Decode
- Mime Mso xml Decoding
- OpenXML decode (unzip)
- Yara signatures included: Executables, active content, exploits CVE 2014 and earlier
Example results and more info blog post
Full Version - Commercial License
- Key cryptanalysis 1-1024 bytes factors of 2; or a specified odd size 1-1024 bytes
- 1 Byte zerospace not replaced brute force XOR search
- XOR Look Ahead cipher
- More Yara signatures included: All lite plus most recent exploits 2014-2016 for CVE identification
- Try the full version online at QuickSand.io
Dependencies (not included)
- Yara 3.4+
- zlib 1.2.1+
- libzip 1.1.1+
Distributed components under their own licensing
- MD5 by RSA Data Security, Inc.
- SHA1 by Paul E. Jones
- SHA2 by Aaron D. Gifford
- jWrite by TonyWilk for json output
- tinydir by Cong Xu, Baudouin Feildel for directory processing
Quick Start
- ./build.sh
- ./quicksand.out -h
- ./quicksand.out malware.doc
Documentation