beaker logo [document malware analysis]

QuickSand Document Analysis | PDF Analysis | Cryptam Document Analysis

QuickSand Malware Document Detection Suite

QuickSand is a compact C framework to analyze suspected malware documents to 1) identify exploits in streams of different encodings, 2) locate and extract embedded executables. By having the ability to locate embedded obfuscated executables, QuickSand could detect documents that contain zero-day or unknown obfuscated exploits.

QuickSand can be run as a command line tool, be wrapped in a web/db interface, or integrated into other products. It can be used as an exploit detection engine, a sandbox pre-processor, or a forensic tool to extract document malware streams. Fingerprint exploit kit usage by exploit location and offset. Run Yara malware trojan signatures on exploit documents against dynamically decoded streams and unXORed executables.


Zip stream within an OLE document:

32 byte XOR encoded executable:

OpenXML docx file with a PostScript exploit and multiple embedded EXEs in hex streams:

Simple scoring:


Sandbox pre-processing benefits:

Exploit detection and embedded executable detection:

Embedded executable detection:

Stream decoding:

Static Library Dependencies:

Build from source:

Command line options:


Industry standard Yara rules for known exploit detection:

Example rule, rank variable is used to score a sample.


#include "libqs.c"
quicksandInit(); //initialize system
struct qs_file *qs_root = NULL;

quicksand_do(string, fsize, quicksand_build_message("root", NULL, &qs_root, QS_FILE_CHILD), &qs_root);  //process string of size fsize
char *buffer = malloc(24000);
quicksandGraph(buffer, 24000, 0, qs_root); // create report
printf("%s", buffer); //print report
quicksandDropFiles(qs_root, &qs_root);
quicksandReset(&qs_root); //cleanup between samples
quicksandDestroy(); //final cleanup

Contact us for more information.