Usage

QuickSand can accept most common office documents and PDFs.

Get Started

On scan.tylabs.com click the Choose File button under the logo on the left, then select the file to scan. Click Scan Document or PDF to start the analysis. Javascript is required to upload the file.

Limits

• Filesize: 10MB. Documents over 10MB (max 28s of processing) or PDFs over 5MB (max 18s of processing) may timeout on the online version of Quicksand. The timeout field is configurable on the software version of QuickSand.

• Filetypes: Links, executables won’t be accessed/decoded.

How to interpret the results.

• Metadata: This section has information about the file itself. Hashes that can be used to uniquely identify the file etc.

  • filetype: ole, mso, pdf, openxml etc. The type of file. “data” means the format is not known and sub-streams will not be extracted.

  • md5: hash to relatively uniquely identify the file

  • sha1, sha256, sha512: longer more unique hashes to identify the file

  • size: file size in bytes

  • started: epoch time in seconds that the processing started

  • finished: epoch time in seconds that the processing finished

  • elapsed: total running time (finished-started)

• Similarity

  Similarity between documents can be an important tool to map attacks by the same actors or exploit kit.

  • structhash: a unique 32 byte hash of a concatenated list of structural elements such as PDF objects or ole streams.

  • struzzy: A fuzzy hash for calculating Levenshtein distance between two document structures. Each structural element is represented by an alphanumeric code. More complex documents will have a longer string. Layout of this hash is a number followed by a string. (Element Total: Fuzzy hash).

• Results

  • risk: plain language risk assessment: active content or exploit

  • score: generally one point for obfuscation method/active content and 10 for an exploit based on the “rank” metadata field in our Yara rules.

• Detailed Results

  This section is a list of objects or streams and exploits detected within.

  • Yara rule: Name of rule that was detected

  • description: Description of what the rule detected. (CVE or active content etc).

  • strings: location offset within the stream, yara variable name: string content.

• Links

  • json more detailed report

Json

The json report contains the following structure:

• results

  • stream name: rule name, desc, strings: [list], type, mitre

• score

• warning

• exploit

• execute

• feature

• filename

• md5

• sha1

• sha256

• sha512

• size

• started

• finished

• version

• quicksand_pdf.yara: epoch

• quicksand_exe.yara: epoch

• quicksand_exploit.yara: epoch

• header: hex 10 bytes

• type

• ole metadata

  • ole_author

  • ole_company

  • ole_last_saved_by

  • ole_title

  • ole_create_time

  • ole_last_saved_time

• risk

• rating: 0 = clean, 1=active content, 2=high score active content, 3=exploit

• structhash

• structure: string

• structhash_version

• structhash_elements: int

• struzzy

• elapsed

• version: tool version id

• uuid (internal scan id)

References

• Mitre CVE Reference

• Mitre Att&ck Reference