![]() The vba was full of statements with extra meaningless assignments, not while, wend, redims like the seed document: Since my access only goes back 90 days, it’s not clear if there was the end of a different wave, or just a one-off. The earliest sample was uploaded on 25 February. They are each submitted by different submitters, across 3 different countries. ![]() I can preview the content in VT, and see no similarities, and no messages to enable macros (so not test documents not yet weaponized). ![]() But on looking at the content, it seems they are unrelated. It’s interesting that there are four benign hits submitted in the same timeframe. No Macros, all different submitters, different contentĪll contain original base64 string except two which had macros stripped and one outlier I can divide them into the following categories: Category I’ll triage those by downloading them and looking at their code. If I limit the search to docs ( metadata:"Hamill" tag:doc), then I get 59 hits over the last 90 days (as far back as I can look without a retro hunt). I looked at a couple, and they seemed innocuous. The results are largely docs since 20 May, but many pdfs, and some zips and other things going further back. ![]() It’s more than the seed, but not so many that it’s clearly just pulling unrelated documents together. I see a few fields that look interesting and worth pivoting on, such as author, company, and manager: Fieldġ32 is an interesting result. I can see this same data (and more) on the details tab in VT: $imageProperties =New-Object -TypeName -ArgumentList $fullname Improving on Kirt's improvements: function getExifGpsInfo ($fullname) ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |