Hello, welcome to the Monday, August 9, 2021 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich, and the time, recording from Stockholm, Germany.

On Friday, Xavier walked you through a yet another malicious VERT document.

What's sort of special about this is not just that a reader submitted the

document but well this reader actually also clicked and executed the document by mistake.

Common trick here, the sender was spoofed and resembled a known person to the victim.

So that's how it often happens.

Maybe the sender got also compromised themselves or sometimes even just accidentally the email does look right or just matches something that's currently going on.

So Xavier took the opportunity to walk you through various obfuscation techniques here and how to

recognize with roughly simple means that this is a malicious document and what it is trying to

accomplish.

Abuse.c.H. for a while now is operating a malware bazaar, and

what's of special and, I guess, different between malware bazaar and a virus totalist, that

malware bazaar makes it easy to download a malicious sample. So great to get training material if you are doing reverse

analysis. Well they now added a new service you can actually download a

daily zip file with all the samples that they received that particular day.

They're created around midnight but they're asking you not to download

them exactly at midnight because it takes a while for everything to sort of get sipped up and

probably don't want to flood them all with requests just at exactly the same time.

A couple of months ago, I talked about how a number of languages, Pearl and Python, for example,

had a very similar vulnerability in that they didn't validate IP address correctly, in particular

if the Octal format was used.

...