Concept

The main concept of Blind DOCtor is to identify the common visual elements of malicious campaigns and classify the malicious MS Office documents accordingly. While it is rather easy to create malicious MS Office documents with different hashes and variations in the VBA code, convincing the users to open the document and "enable the content" is not easy. The image has to be convincing so even if someone changes it a bit, the template remains the same. Malicious MS Office documents try to lure the user into clicking the "Enable the content" button with several templates that are repeated. In the example templates below (Emotet), the documents display an image notifying the user that there is a compatibility issue that prevents loading and this can be achieved only by enabling the content.

emotet1
emotet2
emotet3

Blind DOCtor has extracted the templates from thousands of samples of various families and uses this intelligence to classify the malicious documents blazing fast.

For the time being, we identify the following 17 families:

AgentTesla CampoLoader Dridex Emotet formbook Hancitor IcedID Loki masslogger Netwire Qbot Remcos smokebot TaurusStealer TrickBot Ursnif ZLoader

Note that some templates may match more than one family.

More technical details can be found here. For more boring details, you can refer here