Black Hat Arsenal peepdf Challenge 2015 writeup

At the beginning of August I saw a link on twitter by Jose Miguel Esparza, the author of peepdf tool, about a challenge he created for Black Hat Arsenal conference in USA. So reading the blog post I decided to play with the challenge and now here’s my writeup solution. I hope that you like […]

Active CookieBomb, CVE 2013-2465 and Reveton

This is the second QuickAnalysis post after the one by evilcry; During my daily urlquery investigation (, I come across a website infected by the CookieBomb injection payload. hxxp:// The JS inside the index page, obviously, is obfuscated: after deobfuscation we have this: The code above clearly shows a classical CookieBomb Javascript infection. What is […]

Analysis of CVE-2010-0188 PDF from RedKit ExploitKit

After noticing a substantial increase in RedKit infections, following a series of investigations performed on URLQuery, we have decided to go deeper to understand what was happening behind the curtains. RedKit is an exploitation packs that uses the following infection flow: We have this for today’s example: and the resource is A user visiting a page compromised with […]

Update 2 – Facebook infection: the fake “Flash Player”

In these days I’ve seen some friends of mine taken a facebook virus: this virus posts a message with ten friends tagged and a link to a bad site; the infection, that came from Turkey (almost on the surface), is OS independent just because it uses firefox and chrome extension: a fake Flash Player. Html code […]

Shylock via volatility

Shylock is a new Financial Malware, publicly reported for the first time on 7 September 2011. Additional informations on can be checked out from Mila’s blogpost Tools Volatility MHL Malware Plugins Timeliner,RegistryApi, evtlogs Plugins Essay Memory Acquisition First step is the Memory Acquisition that can be accomplished essentially in two ways, depending essentially by […]