beaker logo [document malware analysis]

PDF Analysis | Document Analysis

Cryptam Malware Document Detection Suite

Automate detection of malware in Microsoft Office documents and Embedded Executables in PDF files. Word, PowerPoint, Excel, RTF, CHM and HLP. Detect the most common Enterprise threats - variants of CVE-2009-4324, CVE-2006-2492, CVE-2009-3129, CVE-2010-3333, CVE-2012-0754, CVE-2012-0779, CVE-2012-0158, CVE-2012-1535, CVE-2012-1856, CVE-2012-5054, and Visual Basic macros. From criminal to advanced Advanced Persistent Threat (APT) threats we can provide early detection of new emerging threats and malware with otherwise low commercial antivirus detection rates of 12-20% on VirusTotal is common for document malware.

Cryptam can detect encrypted embedded executables by conducting a cryptanalysis of the submitted document, report the key used, and detect strings associated with executables. The web interface version provides a visual representation of the analysis as well as a rating of confidence on any detected entities.

Cryptam also contains new advanced features to detect embedded malware within Open XML documents such as MS Office .docx, pptx, and xlsx files. Uncompress and scan Shockwave Flash CWS files embedded in Office documents. Support for embedded executable detection in RTF datastores. Extraction of the embedded executables (and dropped documents) happens automatically and can be fed into a Sandbox or static analysis tool. Include your own signatures and receive updates for the first year free.

Detection and extraction support for combinations of various lengths of XOR encryption, bitwise ROL or ROR shifting, bitwise NOT, and transposition ciphers including header only transposition. Support for extraction of both Windows and Mac executables from documents.

Process spear phishing attacks to gather intelligence from the malware and compare metadata such as last saved by user, write times, character sets and encryption methods.

Cryptam can also be used to analyse encoded malware executables such varied length XOR used in command and control (C2) communications such as malware module downloads or updates captured in network PCAP.

Cryptam will also use your own Yara signatures to search within decoded datastores of RTF files, identify trojans by scanning the decrypted embedded executables, and decompressed embedded Flash files.

Check out an example Cryptam report.


Use it free online. Contact us for more information.