|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 09.10.2019

Analyzing malicious documents


metadata


Metadata of documents can contain interesting information like the name of the author.

exiftool document.pdf

You can also use exiftool to clear metadata.

exiftool -all= document.pdf

This does not work with open document formats yet. In LibreOffice you can deactivate "Apply user data" and reset the properties in the menu under File -> Properties.

visual basic for applications macros


Microsoft office offers to include VBA scripts inside its documents. Many attacks start by sending e-mails to the target containing an office document containing a malicious script.

VBA running executable when opened

Private Sub Document_Open()
    Shell "C:\windows\System32\calc.exe", vbNormalFocus
End Sub

dump macros

olevba evil.docm

dump p-code diassembly

A tool like evil clippy could create office documents where the p-code differs from its embedded macro source code. This way the code that is actually executed differs from the code that is shown e.g. by olevba.

EvilClippy.exe -g evil.docm
EvilClippy.exe -s fakemacro.txt evil.docm

With pcodedmp you can extract the disassembly of the p-code.

pcodedmp evil.docm

find external templates

unzip evil.docm -d evil
grep -Hr attachedTemplate

javascript in pdf documents


pdfid evil.pdf
pdf-parser evil.pdf | grep -B 10 \/JS
pdf-parser -o <OBJ_ID> -f -w -d output.js evil.pdf

To analyze more complicated code parts dynamically you can use rhino or nodejs to execute the script.

self extracting archives


rar

If there are SRX script commands inside a rar archive unrar will show them.

unrar l archive

adobe flash


swftools

swfdump file.swf
swfdump -a file.swf
swfextract file.swf
swfextract -b 1 -o extracted.bin file.swf

To decompile swf files I use the free java tool jpexs-decompiler.