Ange

If you’re into malware analysis, you should really give Malcat a try.
A great all-in-one tool with hex and structure views, disasm and decomp, integrated Yara, python scripting, similarities scanning...
Definitely worth trying!

Is there a good source for non-malicious executables? categorized and with some variety, across platforms, languages...?

Identifying obfuscated code through graph-based semantic analysis of binary code - Applied Network Science Protecting sensitive program content is a critical concern in various situations, ranging from legitimate use cases to unethical contexts. Obfuscation is one of the most used techniques to ensure such a protection. Consequently, attackers must first detect and characterize obfuscation before launching any attack against it. This paper investigates the problem of function-level obfuscation detection using graph-based approaches, comparing algorithms, from classical baselines to advanced techniques like Graph Neural Networks (GNN), on different feature choices. We consider various obfuscation types and obfuscators, resulting in two complex datasets. Our findings demonstrate that GNNs need meaningful features that capture aspects of function semantics to outperform baselines. Our approach shows satisfactory results, especially in a challenging 11-class classification task and in two practical binary analysis examples. It highlights how much obfuscation and optimization are intertwined in binary code and that a better comprehension of these two principles are fundamental in order to obtain better detection results.

Brand new paper with Roxane Cohen, Robin David (both from @quarkslab.bsky.social ) and Florian Yger on obfuscation detection in binary code doi.org/10.1007/s411... We show that carefully selected features can be leveraged by graph neural networks to outperform classical solutions.

Apple Preview 11.0 (macOS 15.5) does crash while opening gist.github.com/nst/373748f2... as x.pdf (malformed ICC profile).

[com.apple.Preview] CoreGraphics assert(cs != NULL) failed in img_pixels_for_destination: colorspace missing
CoreGraphics/Images/CGSImage.c:4029: failed assertion `cs != NULL'

Color coded display of a zlib compressed version of this post's text, rendered by the flateview demo

lynn.github.io/flateview/
Impressive. Visualizer of zlib (gzip) - paste in a paragraph or two of text.

Reminds me of @angealbertini.bsky.social's binary file-format illustrations (google 'corkami').

I have been learning more about PDFs than I really wanted to for maybe the absolutely most funny reason possible - letting agency forgery: mjg59.dreamwidth.org/73317.html

Enter Sandbox 30: Static Analysis gone wrong

www.hexacorn.com/blog/2025/09...

Grab your @phrack copy (beautiful 150 page color print) at @nullcon’s registration booth!

GitHub - corkami/mitra: A generator of weird files (binary polyglots, near polyglots, polymocks...) A generator of weird files (binary polyglots, near polyglots, polymocks...) - corkami/mitra

You can do that with my Mitra tool with the `--force` parameter (for arbitrary content injection) on ~40 standard formats (which covers many more subformats).
github.com/corkami/mitra

The One-Man APT, Part I: A Picture That Can Execute Code on the Target The One-Man APT, Part I: A Picture That Can Execute Code on the Target - Hackers Arise Have you ever wondered if it’s possible to replicate the stealthy behavior of a modern cyber‑attack using artificial intelligence? As part of my research, I focused on the techniques used by a Linux-b...

Bash script injection in a JPEG file:
hackers-arise.com/the-one-man-...

Today I have a more serious topic than usual, please consider reposting for reach:

My wife and I are urgently looking for a specialist in neuropediatrics or a similar field for our autistic child with a diagnosed, but not further specified, movement disorder [1/4]

OBS WebSocket to RCE | Jorian Woltjer Disabling password authentication of your OBS WebSocket server can have devastating consequences. We'll attack from the browser to construct an RCE payload on Windows formed from the pixels of an imag...

Just pushed a new frontend for my site, and a new post!
This one's about an tricky file write vulnerability on Windows in OBS. By crafting an image with very specific pixels, we can plant a backdoor on your PC all from an attacker's site by misconfiguring:
jorianwoltjer.com/blog/p/resea...

C'est surprenant effectivement, mais peut-être le PDF 1.7 contient de nombreuses informations supplémentaires (accessibilité, XML...) plus récentes.

I had a minor printing problem with an article where the last few letters of the longest lines of text were missing.
It was a small mental puzzle every 5-10 lines to guess the missing letters.
An interesting exercise to stay focused throughout the article.

Fun and informative, as always, thank you!

QQ: what's your favorite PDF analysis tool [for malicious files or 'standard' ones]?
(besides peepdf / Stevens' PDF parser+id / VeraPDF)

A photo of an aperture card: a 80-column punched card with columns 54 to 76 used by a microfiche.

"Polyglot files are unnatural and never existed in the wild", they say.

Aperture cards are punched cards with a microfiche, indexing 'analogue' images with punched cards data on the same medium.
A standard polyglot document IRL defined in the 1960s.

In the font, yes.
In the embedded font of the PDF, no.

A PDF showing some text about the Doom PDF/EXE/PE polyglot file format, where the ‘fi’ ligature of ‘file’ isn’t visible.

You’re making a PDF about weird file formats and PDF… and the PDF doesn’t let you write “file”… very meta.

Thank you!

The ultimate Doom polyglot, dissected: DOS executable, Windows Portable Executable, and PDF for Chrome via JavaScript! With offsets, explanations and snippets from the file.

The craziest file I made & visualized recently was combining the Doom PDF with a DOS & Windows (EXE & PE) polyglot.
It runs Doom on OS from 1993 until today, and Chrome-based PDF viewers!
You can make it an HTML/JS polyglot too to run on most browsers! (3/3)

A handmade PDF with no valid signature, dummy stream object, weird object ordering, no XREF…

In PagedOut 6, I showed many PDF tricks by dissecting a crazy yet fully working handmade “Hello World” PDF file.

A dissection of a “Hello World” PDF that shows the relation between the PDF objects.

I made in PagedOut 6 an illustration on the basics of the PDF format.

Paged Out! #6 has arrived! And it's jam-packed with content!
You can download it here:
pagedout.institute?page=issues....

Call It What You Want: Threat Actor Delivers Highly Targeted Multistage Polyglot Malware | Proofpoint US Key findings  Proofpoint researchers identified a highly targeted email-based campaign targeting fewer than five Proofpoint customers in the United Arab Emirates with a distinct

Interesting infection chain using polyglots: www.proofpoint.com/us/blog/thre...

I shrank Takashi Hayakawa's tiny ray tracer by 33 bytes seriot.ch/projects/pos...

Any requests or questions on PDF manipulations ? (Or another format)

ICYDK restrictions in PDF (copy pasting, printing…) are linked to encryption, which often uses an empty user password : no password prompt, but the file is still encrypted.
So just decrypting the file (via qpdf, pdftk, print to PDF,…) removes these restrictions.

A preview of the Youtube livestream with the timestamps.

The livestream on PDF file structure is up.
Following the PDF basics livestream, it covers all kinds of PDF structures that you can see in the wild and how to convert them to a classic and accessible form.
www.youtube.com/live/9XNdTAP...

23 PDF file structures YouTube video by Ange Albertini

Today, the follow-up from PDF basics:
What you need to know to edit any PDF.
www.youtube.com/live/9XNdTAP...