Posts: 12,899
Threads: 8,879
Thanks Received: 8,764 in 6,923 posts
Thanks Given: 9,657
Joined: 12 September 18
21 June 23, 08:47
(This post was last modified: 21 June 23, 08:48 by harlan4096.)
Quote:
We are excited to announce our integration with DOCGuard for the analysis of Office documents, PDFs and other file types as a behavioral analysis engine. This document analysis collaboration will allow the community to get the another opinion on the scanned documents.
In their own words:
Quote:DOCGuard is a malware analysis service, whose main use case is to integrate with SEGs (Secure Email Gateways) and SOAR solutions.
Quote:The service performs a new kind of static analysis called structural analysis. The structural analysis dissembles the malwares and passes it to the core engines with respect to file structure components. By the aid of this approach, DOCGuard can precisely detect the malwares and extract the F/P free IOCs and may also identify obfuscation and encryption in the form of string encoding and document encryption.
Quote:The currently supported file types are Microsoft Office Files, PDFs, HTMLs, HTMs, LNKs, JScripts, ISOs, IMGs, VHDs, VCFs, and archives(.zip, .rar, .7z etc.). The detailed findings of the structural analysis are presented in an aggregated view in the GUI and can be downloaded as a JSON report and can also be gathered over API.
Going further, users can explore the behavior tab of the file scanned for more details. In the example below, we see a detected macro of a malicious Excel XLS file
In a malicious document, we can see memory pattern urls.
9cd785dbcceced90590f87734b8a3dbc066a26bd90d4e4db9a480889731b6d29
![[Image: docguard-memory-urls.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnn4FfsJu24SzfKxmA2y6ALrxS_7vVwXX5hAPN5MaAsEAY-m-Ye0pRlU-EigbjTwCHiwd3p6TzdXm8xEEy2H6SiKH8CcOy_3nAW9Vz4EFMWpdI6nXxtBXl1O9VHo_-q6lc-OgWN3PcMdJcTKXYbgc0k8W20bP_0Rqa53C1ckb_dQWybNI8ckbeGNsA/w823-h170/docguard-memory-urls.png)
...
![[Image: Logo_VT_Horizontal.png]](https://1.bp.blogspot.com/-eNrJ344ipwk/XlaW63OVy9I/AAAAAAAAAF8/anLh0cnZwE8cYShNrki1m_Qm9Jx8Hw-5ACK4BGAYYCw/s1600/Logo_VT_Horizontal.png){kind=logo}
![[Image: docguard-2d6.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg0xWnFMvoTCCKWXTMxSPNXLwOqRdWczOgvcX2HRH03U91Nr1qiZ4ylWJKjVXa1yE1Tv-YSJkdWjxPwIuae0fTpVGiNhXSv_fX-UwYC4gHInCQbpb0Lux7iaZDFKV19oF2gz55LCONWcldtkdPrnLtH45iFdbQvasgS6YNgHHfwcMRtNPzuDcY-TKcK/w659-h622/docguard-2d6.png)
![[Image: docguard-memory-urls.png]](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnn4FfsJu24SzfKxmA2y6ALrxS_7vVwXX5hAPN5MaAsEAY-m-Ye0pRlU-EigbjTwCHiwd3p6TzdXm8xEEy2H6SiKH8CcOy_3nAW9Vz4EFMWpdI6nXxtBXl1O9VHo_-q6lc-OgWN3PcMdJcTKXYbgc0k8W20bP_0Rqa53C1ckb_dQWybNI8ckbeGNsA/s1528/docguard-memory-urls.png)
![[-]](https://www.geeks.fyi/images/collapse.png "[-]")
