Philippe Lagadec's Avatar

Philippe Lagadec

@decalage.bsky.social

Author of open-source projects oletools, olefile, ViperMonkey, ExeFilter, Balbuzard. Posting about #DFIR, #malware analysis, maldocs, file formats and #Python. https://linktr.ee/decalage

84 Followers  |  75 Following  |  5 Posts  |  Joined: 27.11.2024  |  1.5595

Latest posts by decalage.bsky.social on Bluesky

Post image

How can we detect malicious documents exploiting CVE-2026-21509, the recent 0-day vulnerability in MS Office ?
I designed a YARA rule for this, which detects all the malicious files that have been reported.
To get the YARA rule and all the explanations: decalage.info/CVE-2026-215...

06.02.2026 09:14 β€” πŸ‘ 2    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Malware Analysis - Malicious MS Office files without Macros
YouTube video by MalwareAnalysisForHedgehogs Malware Analysis - Malicious MS Office files without Macros

πŸ¦” πŸ“Ή New Video: Can office files be malicious without Macros?

➑️ VSTO Add-Ins
➑️ External Templates
➑️ Checklist for Office analysis
#MalwareAnalysisForHedgehogs
www.youtube.com/watch?v=RtHH...

25.01.2026 07:30 β€” πŸ‘ 6    πŸ” 4    πŸ’¬ 2    πŸ“Œ 1
formats_vs_techniques oletools - python tools to analyze MS OLE2 files (Structured Storage, Compound File Binary Format) and MS Office documents, for malware analysis, forensics and debugging. - decalage2/oletools

Nice examples! I also maintain a list of the various attack techniques vs. file formats in the oletools wiki:
github.com/decalage2/ol...

26.01.2026 15:43 β€” πŸ‘ 2    πŸ” 0    πŸ’¬ 1    πŸ“Œ 0
Hash All The Things / Get All The Sig(s) - Introducing Sighthouse for Seamless Function Detection The aim of this talk is to address a common challenge faced by reverse engineers: distinguishing relevant software from third-party libraries within firmware or programs. This task often wastes time a...

reverse-2026.sessionize.com/session/1082... with @mad5quirrel.bsky.social

16.01.2026 20:53 β€” πŸ‘ 3    πŸ” 2    πŸ’¬ 0    πŸ“Œ 1
Preview
Blind trust: what is hidden behind the process of creating your PDF file? Every day, thousands of web services generate PDF (Portable Document Format) filesβ€”bills, contracts, reports. This step is often treated as a technical routine, β€œjust convert the HTML,” but in practic...

Blind trust: what is hidden behind the process of creating your PDF file?

swarm.ptsecurity.com/blind-trust-...

#vulnerability #cve #exploitation #infosec

30.12.2025 02:22 β€” πŸ‘ 8    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0
Preview
GitHub - decoderloop/rust-malware-gallery: A collection of malware families and malware samples which use the Rust programming language. A collection of malware families and malware samples which use the Rust programming language. - decoderloop/rust-malware-gallery

πŸ¦€ Looking for Rust malware samples to practice analyzing? Our Rust Malware Sample Gallery just received a major update, with 20 new families added! github.com/decoderloop/...

#rust #rustlang #malware #infosec #ReverseEngineering #MalwareAnalysis #reversing

15.12.2025 15:41 β€” πŸ‘ 4    πŸ” 3    πŸ’¬ 1    πŸ“Œ 0
Preview
MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper A look at how threat actors are abusing AppleScript .scpt files to deliver macOS malware, from fake documents to browser update lures, and how these scripts ...

MacOS Infection Vector: Using AppleScripts to bypass Gatekeeper:

pberba.github.io/security/202...

#macOS #infosec #applescript #cybersecurity #exploitation #hacking

30.11.2025 18:22 β€” πŸ‘ 4    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
Virus Bulletin

Videos and papers from this year's @virusbtn.bsky.social in Berlin are now available online. Amazing conference and looking forward to the next one: www.youtube.com/@virusbtn

28.11.2025 06:47 β€” πŸ‘ 9    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0

There's some really big caveats to this. A thread.

05.11.2025 15:52 β€” πŸ‘ 157    πŸ” 74    πŸ’¬ 6    πŸ“Œ 2

Using .LNK files as lolbins

www.hexacorn.com/blog/2025/10...

04.10.2025 21:00 β€” πŸ‘ 8    πŸ” 4    πŸ’¬ 1    πŸ“Œ 0
hack.lu 2025 Hack.lu (and CTI summit) is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. It’s the ...

At hack.lu I gave a presentation about "How to better identify (weaponized) file formats":

- Why do we need to identify file formats accurately?
- Why can the current tools (libmagic, magika) sometimes be bypassed?
- How can we do better?

You can now see it here: youtu.be/Qp5GDh2sj6A

#HackLu

27.10.2025 16:18 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Infosec/hacking videos recorded by Cooper (@Ministraitor) Infosec/hacking videos recorded by Cooper (@Ministraitor)

I've put together a website which indexes all the recordings my rigs have made thus-far as well as those currently planned:
administraitor.video
(minimalist - I'm a mid-/backend dev! πŸ˜‹)

08.11.2024 15:22 β€” πŸ‘ 16    πŸ” 9    πŸ’¬ 0    πŸ“Œ 0
How To Better Identify (Weaponized) File Formats With Ftguess - Philippe Lagadec
YouTube video by Cooper How To Better Identify (Weaponized) File Formats With Ftguess - Philippe Lagadec

How To Better Identify (Weaponized) File Formats With Ftguess - Philippe Lagadec
youtu.be/Qp5GDh2sj6A
#HackLu

25.10.2025 21:57 β€” πŸ‘ 2    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Preview
hack.lu 2025 Hack.lu (and CTI summit) is an open convention/conference where people can discuss about computer security, privacy, information technology and its cultural/technical implication on society. It’s the ...

This week I'm going to hack.lu, to give a presentation about file format identification:
Why do we need to identify file formats accurately?
Why can the current tools sometimes be bypassed, or make mistakes?
How can we do better?
2025.hack.lu/agenda/

Send me a DM if you'd like to meet there.

21.10.2025 08:01 β€” πŸ‘ 1    πŸ” 0    πŸ’¬ 0    πŸ“Œ 0
Post image

I'm happy to share that LIEF 0.17.0 is out: lief.re/blog/2025-09...

15.09.2025 03:49 β€” πŸ‘ 12    πŸ” 5    πŸ’¬ 0    πŸ“Œ 0

#ESETresearch has discovered #HybridPetya ransomware on VirusTotal: a UEFI-compatible copycat of the infamous Petya/NotPetya malware. HybridPetya is capable of bypassing UEFI Secure Boot on outdated systems. www.welivesecurity.com/en/eset-rese... 1/8

12.09.2025 09:02 β€” πŸ‘ 11    πŸ” 11    πŸ’¬ 1    πŸ“Œ 0
Post image

#ESETResearch has discovered the first known AI-powered ransomware, which we named #PromptLock. The PromptLock malware uses the gpt-oss:20b model from OpenAI locally via the Ollama API to generate malicious Lua scripts on the fly, which it then executes 1/7

26.08.2025 15:37 β€” πŸ‘ 64    πŸ” 45    πŸ’¬ 2    πŸ“Œ 14
How FIDO2 works, a technical deep dive – Michael Waterman

This explanation of Passkeys and FIDO2 is really good πŸ‘

michaelwaterman.nl/2025/04/02/h...

04.05.2025 21:34 β€” πŸ‘ 11    πŸ” 4    πŸ’¬ 0    πŸ“Œ 0
Preview
Malwoverview: First response tool for threat hunting - Help Net Security Malwoverview is an open-source threat hunting tool designed for the initial triage of malware samples, URLs, IP addresses, domains, malware families,

Even though I've been away from the field for years, it's great to see that a simple tool that I initially launched in 2018 and with great collaborators (Artur Marzano, Corey Forman and Christian Clauss) has been used by so many professionals.

www.helpnetsecurity.com/2025/03/26/m...

#malware

26.03.2025 19:02 β€” πŸ‘ 3    πŸ” 1    πŸ’¬ 0    πŸ“Œ 0
Preview
Celui qui n’aurait pas dΓ» installer l’antivirus Kaspersky OΓΉ l’on dΓ©couvre la carriΓ¨re brisΓ©e d’un fonctionnaire Γ  cause d’un penchant, au choix, pour des versions crackΓ©es de Windows ou pour l'antivirus du cΓ©lΓ¨bre ingΓ©nieur russe.

Merci @gabrielthierry.bsky.social de revenir sur l'histoire incroyable des #ShadowBrokers en plusieurs parties #MustRead

Partie 1

open.substack.com/pub/pwned/p/...

Partie 2

open.substack.com/pub/pwned/p/...

Partie 3

open.substack.com/pub/pwned/p/...

16.03.2025 08:11 β€” πŸ‘ 19    πŸ” 12    πŸ’¬ 1    πŸ“Œ 0
MalDoc in PDF - Detection bypass by embedding a malicious Word file into a PDF file – - JPCERT/CC Eyes JPCERT/CC has confirmed that a new technique was used in an attack that occurred in July, which bypasses detection by embedding a malicious Word file into a PDF file. This blog article calls the techn...

Do you know examples of polyglot files that have been used in real-life to hide malware from detection/analysis tools?

There is at least this PDF/MHT: blogs.jpcert.or.jp/en/2023/08/m...

Do you know other real malware cases?

19.01.2025 10:58 β€” πŸ‘ 4    πŸ” 2    πŸ’¬ 0    πŸ“Œ 0
Video thumbnail

I made a Doom source port that runs within a PDF file.

PDFs support Javascript, so Emscripten is used to compile Doom to asm.js, which is then run within the PDF engine. Input/output is done by manipulating text input fields.

doompdf.pages.dev/doom.pdf

github.com/ading2210/do...

13.01.2025 04:16 β€” πŸ‘ 4122    πŸ” 1930    πŸ’¬ 72    πŸ“Œ 221
Post image

The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:

exploitreversing.com/2025/01/08/m...

Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).

#malware

08.01.2025 16:45 β€” πŸ‘ 5    πŸ” 3    πŸ’¬ 0    πŸ“Œ 0
Preview
Forget PSEXEC: DCOM Upload & Execute Backdoor Join Deep Instinct Security Researcher Eliran Nissan as he exposes a powerful new DCOM lateral movement attack that remotely writes custom payloads to create an embedded backdoor.

New DCOM lateral movement technique discovered that bypasses traditional defenses. Unlike previous attacks relying on IDispatch interfaces, this method exploits undocumented COM interfaces within MSI, specifically targeting IMsiServer and IMsiCustomAction interfaces. 1/7

12.12.2024 00:00 β€” πŸ‘ 21    πŸ” 17    πŸ’¬ 2    πŸ“Œ 0

@decalage is following 19 prominent accounts