{ "id": "7db10c26-112c-4034-9b90-634748d024ad", "created_at": "2026-04-06T00:13:38.535817Z", "updated_at": "2026-04-10T13:13:05.572455Z", "deleted_at": null, "sha1_hash": "8204e6ef9c6269552f7c90cca303659e34bc9334", "title": "Further Evasion in the Forgotten Corners of MS-XLS", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 859036, "plain_text": "Further Evasion in the Forgotten Corners of MS-XLS\r\nBy Malware Enthusiast\r\nPublished: 2020-06-19 · Archived: 2026-04-05 17:29:41 UTC\r\nIt’s been a few weeks since my last discussion1 of Excel 4.0 macro shenanigans and the space continues to change. LastLine\r\npublished a great report2 which summarized the progression of weaponized macros from February through May. The good\r\nfolks at InQuest have continued3 identifying4 malicious5 macro documents6. @DissectMalware‘s excellent\r\nXLMMacroDeobfuscator7 has massively expanded its range of macro emulation, and FortyNorth Security released\r\nEXCELntDonut8, a tool for converting Donut9 shellcode into multi-architecture Excel 4.0 macros.\r\nOver the past few weeks I’ve also started seeing some of the files generated by my tool Macrome10 begin to trigger\r\ndetections on VirusTotal11. This is exactly the sort of thing I want to see – besides the fact that it implies that AV is getting\r\nbetter signal on this attack vector, it also provides an opportunity to improve my tool and take better guesses about what\r\ndirection attackers will pivot in the future. I’m a big believer in a @Mattifestation‘s approach to detection engineering12 and\r\ndetection from AV helps move the iterative development of tooling further along.\r\nAfter realizing that some of my samples were being detected, I took several documents that had been generated during\r\ntesting and submitted each of them to VirusTotal – only the larger documents appeared to be matching virus signatures. I did\r\na quick binary search of the document sizes between what was detected on VirusTotal and what wasn’t and discovered that if\r\na document had greater than 100 CHAR invocations, then it was considered malicious.\r\nA “safe” document with exactly 100 =CHAR() expressions\r\nhttps://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nPage 1 of 11\n\nA document that has one too many =CHAR() expressions\r\nWhile my generated document had obfuscated the usage of the CHAR function, clearly there was a signature that could\r\ndetect these alternate CHAR invocations. For reference, here is @DissectMalware’s macro_sheet_obfuscated_char rule13\r\nthat the generated document attempted to avoid:\r\nrule macro_sheet_obfuscated_char\r\n{\r\n meta:\r\n description = \"Finding hidden/very-hidden macros with many CHAR functions\"\r\n Author = \"DissectMalware\"\r\n Sample = \"0e9ec7a974b87f4c16c842e648dd212f80349eecb4e636087770bc1748206c3b (Zloader)\"\r\n strings:\r\n $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}\r\n $macro_sheet_h1 = {85 00 ?? ?? ?? ?? ?? ?? 01 01}\r\n $macro_sheet_h2 = {85 00 ?? ?? ?? ?? ?? ?? 02 01}\r\n $char_func = {06 ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? 1E 3D 00 41 6F 00}\r\n condition:\r\n $ole_marker at 0 and 1 of ($macro_sheet_h*) and #char_func \u003e 10\r\n}\r\nMy previous blog post discussed how to break the longer signature for $char_func , but it didn’t address what to do if the\r\nsignature for the CHAR function were more reliable. In this case the signature was likely only the the three bytes of a\r\nPtgFunc14 invocation with the CHAR Ftab value15 ( 41 6F 00 ) but repeatedly occurring enough times to avoid false\r\npositives. This is likely the reason for the “high” minimum count requirement of 101+ instances versus the 11+ in the\r\nmacro_sheet_obfuscated_char rule.\r\nhttps://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nPage 2 of 11\n\nAn obfuscated invocation of CHAR(65) that triggered results on VirusTotal after 101+ instances were used\r\nOne “quick” hack to bypass this signature is to abuse the fact that PtgFuncVar16 can be used instead of PtgFunc to invoke\r\nthe CHAR function ( 42 01 6F 00 ). PtgFuncVar is largely identical to PtgFunc except for the fact that PtgFuncVar must\r\nalso be provided with the number of arguments being passed into the called function. While PtgFunc is only used to call\r\nfunctions with a fixed number of arguments, there is nothing that stops us from invoking PtgFuncVar and providing the\r\ncorrect argument count. PtgFunc(CHAR) is identical to PtgFuncVar(1,CHAR).\r\nHex dump of a FORMULA17\r\n BIFF8 record using the alternate PtgFuncVar(1,CHAR) invocation\r\nThis is a nice signature evasion trick, but it ultimately is vulnerable to the same method of detection, just with a slightly\r\ndifferent byte signature. Fundamentally, many tricks that macro sheets rely on in order to deobfuscate themselves will rely\r\non invoking a handful of functions repeatedly. Large macro payloads can require invoking some form of CHAR and\r\nFORMULA hundreds of times – what will adversaries do once there are better signatures put into place for detecting\r\nsuspiciously repeated usages of these functions?\r\nRe-Enter the Subroutine\r\nIn normal programming, when we constantly call the same code over and over again, we write a function. Even in VBA\r\nmacros, the idea of subroutines exist to allow for simple code-reuse. While the Excel 4.0 Macro Functions Reference18\r\nmentions the idea of Excel 4.0 macro subroutines several times – it never actually details how these can be created.\r\nIn practice, Excel 4.0 macro subroutines are really just a sequence of RUN and RETURN functions. A subroutine is\r\ninvoked by calling the RUN function with an argument referencing the start cell of the sub-macro. Execution then starts at\r\nthat cell and continues down the column until a RETURN function is invoked. The argument passed to RETURN is what\r\nthe return value of the function will be. For example, if we wanted to create a subroutine that would eventually return the\r\nstring “Hello World”, it would look something like this:\r\nA simple example of an Excel 4.0 macro subroutine – it will eventually pop up an alert saying “Hello World”\r\nExcel actually even aliases the RUN command by letting users specify a cell reference or cell name and invoke it directly by\r\nappending () to the invocation as seen below:\r\nThis is functionally identical to the previous Macro sheet\r\nhttps://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nPage 3 of 11\n\nThis is also the same, except B1 has been named MySub\r\nIt’s not a very common way to see macros used right now, but malware authors are clearly already aware of this19 as can be\r\nseen from a sample shared by @JohnLaTwc and analyzed by @DissectMalware:\r\nExample behavior from a maldoc submitted to VirusTotal in March 201920 (Image from @DissectMalware)\r\nWhile using subroutines in this way might be slightly helpful for slowing analysis of a document, it’s really only dipping its\r\ntoes into the potential of “proper” subroutine usage in a maldoc. For example, what if instead of having the byte sequence\r\n41 6F 00 every time we invoked CHAR, we moved the CHAR expression into a subroutine and just invoked the\r\nsubroutine repeatedly? The predictable function invocation would only appear once, and it would be much harder to claim\r\nthat EVERY usage of CHAR is malicious. Even Windows Defender’s aggressive blocking of =CHAR(#) invocations\r\nrequires other conditions beyond matching three bytes. Here’s an example of what replacing the CHAR expression with a\r\nsubroutine looks like:\r\nWe can actually “create” our subroutine at runtime using SET.NAME to specify the subroutine cell and its\r\nargument\r\nhttps://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nPage 4 of 11\n\nSo this is slightly different from our previous examples, but the main difference is that we are invoking SET.NAME in order\r\nto specify two values:\r\n1. We are defining the value of InvokeCharSub to be equivalent to a reference to cell B1. Later we invoke it using\r\nInvokeCharSub(), though we could also use RUN(InvokeCharSub).\r\n2. We are setting the value of the name “arg” to 65. This is essentially how we pass arguments to our subroutine. While\r\nthere does appear to be an ARGUMENT function that allows explicitly defining names to store arguments, I haven’t\r\nbeen able to make this work any differently than just manually setting names or cell values. While porting\r\nEXCELntDonut macros into Macrome21 I also realized that you can simply write arg=65 in an Excel cell, and it will\r\nautomatically be interpreted as SET.NAME(“arg”,65)\r\nWhat a User Defined Function invocation looks like in byte form\r\nUnder the covers when we call InvokeCharSub(), we are having Excel call a user defined function through the\r\nPtgFuncVar Parse Thing object. User defined functions are a PtgFuncVar edge case – one of the arguments provided to the\r\nPtgFuncVar must be a PtgName22. PtgName objects reference a Lbl23 entry stored within the Excel Workbook’s Globals\r\nSubstream24. In this case, we are looking for the 3rd Lbl entry in the substream – it’s also worth noting that the index here\r\nstarts at 1, rather than 0. We’ll come back to some “fun” that malware authors can have with these labels later.\r\nThe Lbl list from our test document’s Globals Substream – the 3rd item is InvokeCharSub, our subroutine\r\nname\r\nSo we have a mechanism to replace our CHAR function invocations with SET.NAME invocation followed by a call to a\r\nuser defined function. This turns one very simple cell into two cells, but there’s a workaround for that as well. A final\r\npossible optimization to reduce the size of our document is to combine our variable assignment with the invocation of our\r\nsubroutine by abusing the IF function to execute two expressions in a single cell – for example:\r\n=IF(SET.NAME(\"var\",65),invokeChar(),)\r\nThe invocation of SET.NAME here saves us from having to use two cells to invoke our subroutine and lets us use a single\r\ncell which cuts down on our FORMULA record count by about half. This is the approach used by the CharSubroutine\r\nmethod in Macrome10.\r\nhttps://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nPage 5 of 11\n\nGoing back to @Mattifestation‘s detection engineering approach – let’s think about how we could detect this sort of\r\napproach and then analyze it. From a detection standpoint, a massive number of invocations of SET.NAME and\r\nPtgFuncVar objects with a user defined function would likely stand out. For example, if we look at the above IF statement\r\nat the byte level we get something like:\r\nA single FORMULA record containing the SET.NAME and user defined function invocation\r\nWe can create a signature for this by keying on the presence of a PtgFuncVar invocation of SET.NAME ( 42 02 58 00 )\r\nwith some arbitrary locality to a PtgFuncVar invoking a user defined function ( 42 ?? FF 00 – the Ftab value is FF 00 ,\r\nbut we need a wildcard since we can’t necessarily guess the argument count). Our signature doesn’t need to care if\r\nSET.NAME comes before or after the user defined function, we just want to check for a large number of these instances. A\r\nYara25 signature for this could look like:\r\nrule msxls_set_name_and_invoke_udf\r\n{\r\n meta:\r\n description = \"Finding XLS2003 documents with a suspicious number of SET.NAME and User Defined Function invocations\"\r\n Author = \"Michael Weber (@BouncyHat)\"\r\n strings:\r\n $ole_marker = {D0 CF 11 E0 A1 B1 1A E1}\r\n $setname_invokeudf = {42 02 58 00 [0-100] 42 ?? FF 00}\r\n $invokeudf_setname = {42 ?? FF 00 [0-100] 42 02 58 00}\r\n condition:\r\n $ole_marker at 0 and (#setname_invokeudf \u003e 100 or #invokeudf_setname \u003e 100)\r\n}\r\nNote that the wildcard range [0-100] probably makes this computationally expensive to run on a large dataset, but the\r\nupper bound of 100 wildcard bytes could be lowered as needed.\r\nThis signature could still be avoided (as is true for most signatures) with a little additional effort on the part of the attacker.\r\nAs demoed in Outflank’s research26, we can use Excel’s WHILE functionality to iterate over a column of seemingly\r\nharmless numbers and use them to build strings of binary data or additional macro statements to populate with the\r\nFORMULA function.\r\nhttps://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nPage 6 of 11\n\nHere we have a Macro, starting at B1, that replaces our numerous CHAR() invocations with a subroutine at\r\nA1\r\nBut let’s assume that there is a foolproof signature to identify our document and that our document has made its way into the\r\nhands of an analyst armed with a tool like XLMMacroDeobfuscator6 or olevba27. Are there any weird behaviors that can be\r\nabused to trick analysts attempting to examine our document? Thanks to Excel’s “flexibility” with Lbl records, the answer is\r\nyes.\r\n(Ab)Using Names in Excel 4.0 Macros\r\nThe usage of Lbl record lookups when resolving names is another opportunity for malware authors to frustrate analysis. In\r\nmy previous blog post1 I discussed how Excel’s flexible handling of the Auto_Open Lbl record made signature creation\r\nextremely challenging. It seems like similar issues would apply to “variable” and subroutine name invocation as well. For\r\nexample – what would you expect the output of the following macro sheet to be?\r\nAssuming case sensitivity were used, the string “arg” should be displayed\r\nBut Excel Lbl records are much more flexible than that\r\nThis looks like a nice trick, but it doesn’t appear to do much to frustrate analysis – at a glance. Just HOW flexible is Excel’s\r\ninterchangeability with upper case and lower case letters?\r\nhttps://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nPage 7 of 11\n\nWhat happens if we go into the Unicode character sets?\r\nObviously the lower case Zeta symbol (ζ) was going to overwrite that capital Zeta (Ζ)\r\nIt’s pretty flexible. There are a surprising number of multi-case characters to confuse Excel, just take a glance at the library\r\nof valid lower case Unicode characters28. Unfortunately, for defenders, the PtgStr record29 used by Excel to invoke\r\nSET.NAME will happily allow attackers to set arbitrary Unicode content for arguments, so this is a challenging situation to\r\navoid. The issues don’t stop at casing confusion either – Excel also respects Unicode Equivalence30. This behavior, which is\r\npart of the Unicode specification31, is a consistent32 source of pain33 in the security world34.\r\nOne example of how Unicode Equivalence can frustrate analysis is Decomposed Unicode. Decomposed Unicode values are\r\nalternate representations of Unicode characters that use a series of characters instead of a single Unicode character. For\r\nexample – consider the Unicode character ḁ\r\n35\r\n. This can be represented as 2 bytes in UTF-16 (Excel’s Unicode\r\ninterpretation) as 1E 01 . Alternatively, we can represent it as the letter a and the ◌̥ combining diacritical mark36 – or 00\r\n61 03 25 . (Note: These diacritical marks are the same bit of fun that can be used to create Zalgo monstrosities37\r\n)\r\nThere also exist Unicode characters, like the Combining Graphene Joiner38 ( 03 4F ) which are essentially no-op characters\r\nfor most Unicode strings. The Wikipedia article for the character explicitly describes it as “default ignorable” in the first\r\nsentence:\r\n“The combining grapheme joiner (CGJ), U+034F COMBINING GRAPHEME JOINER (HTML ) is a\r\nUnicode character that has no visible glyph and is “default ignorable” by applications.”\r\nhttps://en.wikipedia.org/wiki/Combining_Grapheme_Joiner\r\nFinally, there are a sizable number of Unicode whitespace characters39 which can change the byte contents of a string\r\nwithout changing its appearance. The “most interesting” of these whitespace characters are the zero-width Unicode\r\ncharacters. A zero-width character makes no visible change to the label. Some of these characters are ignored by Excel when\r\ncomparing strings (U+200C, U+200D, U+2060, and U+FFEF), but others (U+180E and U+200B) are not. These characters\r\ncan be used to pad variable names, or create decoy names that look the same but are not actually assigned when invoking\r\nSET.NAME.\r\nThere’s nothing fundamentally bad about following the Unicode specification, but combining support for Unicode\r\nequivalence with some of Excel’s other flexibility can lead to very counter-intuitive equivalencies. For example, 1E 01 (ḁ)\r\nis considered the same as 20 60 00 41 03 25 03 4F 00 (a decomposed Ḁ with some ignored Unicode characters added to\r\nthe string). Replacing some of those bytes with a 18 0E or 20 0B would break the equivalency as well, which allows us\r\nto create strings that look identical, but are not treated as such by Excel. In practice this lets us create, using Macrome’s\r\n10\r\nAntiAnalysisCharSubroutine method, the following content :\r\nhttps://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nPage 8 of 11\n\nIt is random whether the first SET.NAME or second SET.NAME in each cell set the value passed to the\r\nsubroutine\r\nAlthough the vḁr strings appear to be identical, they are in fact quite different on disk. This means that any analysis of the\r\ncell to figure out what will actually happen will require running Excel or manually reproducing Excel’s EXACT handling of\r\nUnicode characters. Reproducing the behavior is going to require handling a lot of edge cases. If you want a sense of what\r\nanalysts could be up against, here’s what the above example looks like in binary:\r\nNote that both SET.NAME arguments are very different from the Lbl name used in\r\n=RETURN(CHAR(‘vḀr’))\r\nIn the above example the “Real” argument bytes are considered a match for the Lbl name bytes, but the “Decoy” argument\r\nbytes are not. The fact that Lbl record strings can be so wildly different from the PtgStr arguments passed to SET.NAME\r\nmakes it challenging to follow Excel’s data flow without actually running Excel. Even then, Excel isn’t consistent with\r\nhandling Unicode values – see what happens when null bytes are injected into the Auto_Open label after the u character:\r\nThe Name Manager sees Au, but the cell label is AuTo_OpEn\r\nGiven the already low detection rate for Excel 4.0 macros in the wild, we may never see attackers need to rely on this level\r\nof trickery. If AV does start getting better signal with their signatures though, I will not be surprised to see various forms of\r\nUnicode abuse begin to crop up.\r\nhttps://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nPage 9 of 11\n\nUpdates to Macrome\r\nIn the process of digging deeper into Excel documents, I’ve often come across a need to examine the byte content of specific\r\nrecords as a hex dump. While I don’t mind crawling through a wall of hex text, I’ve managed to save some time by\r\nmodifying my tool Macrome to dump the hex content of Lbl and Formula records. All of the hex examples from this post\r\nwere generated using this dump functionality. I’ve also implemented code for generating proof-of-concept documents using\r\nsome of the subroutine and Unicode shenanigans that I discussed in this post. If you want to try generating some malicious\r\ndocuments to see how your tooling will handle these kinds of documents I’d suggest heading over to\r\nhttps://github.com/michaelweber/Macrome and grabbing the latest release.\r\nAs always, if folks have any suggestions for features or improvements, please let me know here in the comments or open an\r\nissue on the Github project page.\r\nReferences\r\n1. https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/\r\n2. https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/\r\n3. https://inquest.net/flash-alerts/IQ-FA004%3AMultiple_Actors_Abusing_New_Macro_Methods\r\n4. https://twitter.com/InQuest/status/1268568312499376130\r\n5. https://twitter.com/DissectMalware/status/1268491222299086854\r\n6. https://github.com/DissectMalware/XLMMacroDeobfuscator\r\n7. https://twitter.com/Anti_Expl0it/status/1269895583633829888\r\n8. https://github.com/FortyNorthSecurity/EXCELntDonut/\r\n9. https://github.com/TheWover/donut\r\n10. https://github.com/michaelweber/Macrome\r\n11. https://www.virustotal.com/gui/file/b159b25b80b1830acf40813c06a48f3e72666720b7efcd406ea5031c7f214c31/detection\r\n12. https://twitter.com/mattifestation/status/1263416936517468167\r\n13. https://pastebin.com/V8SGgdZL\r\n14. https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/87ce512d-273a-4da0-a9f8-26cf1d93508d\r\n15. https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/00b5dd7d-51ca-4938-b7b7-483fe0e5933b\r\n16. https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/5d105171-6b73-4f40-a7cd-6bf2aae15e83\r\n17. https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/8e3c6978-6c9f-4915-a826-07613204b244\r\n18. https://exceloffthegrid.com/using-excel-4-macro-functions/\r\n19. https://twitter.com/DissectMalware/status/1269535826813366273\r\n20. https://www.virustotal.com/gui/file/a53be0bd2a838ffe172181f3953a2bc8a1b7c447fb56d885391921a7c3eac1f9/details\r\n21. https://github.com/michaelweber/Macrome/releases/tag/0.2.0\r\n22. https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/5f05c166-dfe3-4bbf-85aa-31c09c0258c0\r\n23. https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/d148e898-4504-4841-a793-ee85f3ea9eef\r\n24. https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/ca4c1748-8729-4a93-abb9-4602b3a01fb1\r\n25. https://virustotal.github.io/yara/\r\n26. https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/\r\n27. https://github.com/decalage2/oletools/wiki/olevba\r\n28. https://www.compart.com/en/unicode/category/Ll\r\n29. https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-xls/87c2a057-705c-4473-a168-6d5fac4a9eba\r\n30. https://en.wikipedia.org/wiki/Unicode_equivalence\r\n31. https://www.unicode.org/versions/Unicode13.0.0/UnicodeStandard-13.0.pdf\r\n32. https://www.dionach.com/en-us/blog/fun-with-sql-injection-using-unicode-smuggling/\r\nhttps://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nPage 10 of 11\n\n33. https://hackernoon.com/%CA%BC-%C5%9B%E2%84%87%E2%84%92%E2%84%87%E2%84%82%CA%88-\r\nhow-unicode-homoglyphs-will-break-your-custom-sql-injection-sanitizing-functions-1224377f7b51\r\n34. https://book.hacktricks.xyz/pentesting-web/unicode-normalization-vulnerability\r\n35. https://www.compart.com/en/unicode/U+1E01\r\n36. https://www.compart.com/en/unicode/U+0325\r\n37. https://zalgo.it/en/\r\n38. https://en.wikipedia.org/wiki/Combining_Grapheme_Joiner\r\n39. https://en.wikipedia.org/wiki/Whitespace_character\r\nSource: https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nhttps://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/" ], "report_names": [ "further-evasion-in-the-forgotten-corners-of-ms-xls" ], "threat_actors": [ { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434418, "ts_updated_at": 1775826785, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8204e6ef9c6269552f7c90cca303659e34bc9334.pdf", "text": "https://archive.orkl.eu/8204e6ef9c6269552f7c90cca303659e34bc9334.txt", "img": "https://archive.orkl.eu/8204e6ef9c6269552f7c90cca303659e34bc9334.jpg" } }