Last changed: 08.07.2020
Analyzing malicious documents
metadata
Metadata of documents can contain interesting information like the name of the author.
exiftool -G -s document.pdf
exiftool -pdf:* -s document.pdf
You can also use exiftool
to change or clear metadata.
exiftool -pdf:Author="me ;-)" document.pdf
exiftool -all= document.pdf
WARNING: This is reversible as exiftool
will only add data to the pdf which
shall overwrite the metadata. If you remove this data at the end of the file
the old values get restored.
This does not work with open document formats yet. In LibreOffice you can
deactivate "Apply user data" and reset the properties in the menu under
File -> Properties
.
manually parse xml files
xmllint --format docProps/core.xml
visual basic for applications macros
Microsoft office offers to include VBA scripts inside its documents. Many attacks start by sending e-mails to the target containing an office document containing a malicious script.
VBA running executable when opened
Private Sub Document_Open()
Shell "C:\windows\System32\calc.exe", vbNormalFocus
End Sub
dump macros
olevba evil.docm
dump p-code diassembly
A tool like evil clippy could create
office documents where the p-code differs from its embedded macro source code.
This way the code that is actually executed differs from the code that is shown
e.g. by olevba
.
EvilClippy.exe -g evil.docm
EvilClippy.exe -s fakemacro.txt evil.docm
With pcodedmp you can extract the disassembly of the p-code.
pcodedmp evil.docm
find external templates
unzip evil.docm -d evil
grep -Hr attachedTemplate
visual basic script
test.vbs
echo wscript.echo "Hello from VBS" > test.vbs
running vbs
Depending on the command you can ran VBS with a GUI or in a console.
wscript test.vbs
cscript test.vbs
debug vbs with visual studio
Set the following registry key
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Auto /d 1 /t REG_DWORD
Enable the Just-In-Time debugger in Visual Studio
Tools -> Options -> Debugging -> Just-In-Time -> Script
Run the script with debugging enabled
cscript //X test.vbs
pdf documents
javascript
pdfid evil.pdf
pdf-parser evil.pdf | grep -B 10 \/JS
pdf-parser -o <OBJ_ID> -f -w -d output.js evil.pdf
To analyze more complicated code parts dynamically you can use rhino
or
nodejs
to execute the script.
decrypt
qpdf --password=pass123 --decrypt input.pdf output.pdf
self extracting archives
rar
If there are SRX script commands inside a rar archive unrar
will show them.
unrar l archive
packed python binaries
To extract python executables packed with PyInstaller
you can use
pyinstxtractor and
uncompyle6
. If python2
was used for building the executable you have to use
it for unpacking as well.
python2 pyinstxtractor.py evil_python.exe
python2 uncompyle6.py evil_python.exe_extracted/evil.pyc > src.py
Sometimes you will have to extract Python data from linux ELF binaries with
objcopy
first.
objcopy --dump-section pydata=pydata.dump evil_python.elf
python2 pyinstxtractor.py pydata.dump
If the python version used for packing differs from your local version you will
have do modify the pyc
files manually.
strings evil_python.exe | grep -e python.*dll
strings evil_python.elf | grep -e libpython
The corresponding magic can be found in magic.py.
autoit binaries
To extract the original script from an executable you can use
autoit-extractor.
If the program is heavily obfuscated you can install AutoIt
and the
AutoIt Script Editor
from
www.autoitscript.com.
You can then insert debug prints like
ConsoleWrite("var=" & $var & @CRLF)
and execute the script.
adobe flash
swftools
swfdump file.swf
swfdump -a file.swf
swfextract file.swf
swfextract -b 1 -o extracted.bin file.swf
To decompile swf files I use the free java tool jpexs-decompiler
.