quicksand_lite - Command line tool for scanning streams within office documents plus xor db attack.

quicksand_lite – Command line tool for scanning streams within office documents plus xor db attack.

Latest Change 12/5/2017:
+ added detection for EPS obfuscation using xor.
+ Remove tempnam calls.

quicksand_lite is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.

File Formats For Exploit and Active Content Detection;
– doc, docx, docm, rtf, etc
– ppt, pptx, pps, ppsx, etc
– xls, xlsx, etc
– mime mso
– eml email

quicksand – Office document malware analysis.

Features:
+ Fast document deconstruction
+ Yara API integration: Executable | Exploits | Trojans
+ Run yara signatures against decoded streams and unxored executables
+ Cryptanalysis of obfuscated executables and extraction: xor | rol/ror
+ Non bruteforce instant cracking of long 256 byte XOR keys (20-10 bytes).
+ Optional brute force 1 byte xor attack.
+ Optional brute force math cipher attack.
+ Optional xor-lookahead algorithm (xorla).
+ Pre-sandbox processing of phishing samples to extract executables/implant installers
+ Integratabtle cross platform Ansi C

Installation;

Source: https://github.com/tylabs