|\ __________                          __   __                         __
         | |   __     |          _____ __    __\__/_|  |_ __ ___   _____   ___ |  |\_____     
         | |  /  \    |         /  _  \  \  /  /  |_    _|  /   \ /  _  \ /  _ \  |/  _  \    
         | |  \  /___ |        /  /_\  \  \/  /|  | |  |\|   /\  \  / \  \  / \   |  /_\  \   
         | |__/    _ \|        |  _____||    |\|  | |  | |  |\|  |  |\|  |  |\|   |  _____|\  
         | |___/\  \\_\        \  \____/  /\  \|  | |  | |  | |  |  \_/  /  \_/   |  \___ \|  
         | |    /   \_|         \_____/__/ /\__\__| |__| |__| |__|\_____/ \____/__|\_____/\   
         | |   / / \___|         \____\__\/  \__\__\|\__\|\__\|\__\\____\/ \___\\__\\____\/   
         | |__/_/_____|     
         |/                

Last changed: 09.10.2019

Analyzing malicious documents


metadata


Metadata of documents can contain interesting information like the name of the author.

exiftool document.pdf

You can also use exiftool to clear metadata.

exiftool -all= document.pdf

WARNING: This is reversible as exiftool will only add data to the pdf which shall overwrite the metadata. If you remove this data at the end of the file the old values get restored.

This does not work with open document formats yet. In LibreOffice you can deactivate "Apply user data" and reset the properties in the menu under File -> Properties.

visual basic for applications macros


Microsoft office offers to include VBA scripts inside its documents. Many attacks start by sending e-mails to the target containing an office document containing a malicious script.

VBA running executable when opened

Private Sub Document_Open()
    Shell "C:\windows\System32\calc.exe", vbNormalFocus
End Sub

dump macros

olevba evil.docm

dump p-code diassembly

A tool like evil clippy could create office documents where the p-code differs from its embedded macro source code. This way the code that is actually executed differs from the code that is shown e.g. by olevba.

EvilClippy.exe -g evil.docm
EvilClippy.exe -s fakemacro.txt evil.docm

With pcodedmp you can extract the disassembly of the p-code.

pcodedmp evil.docm

find external templates

unzip evil.docm -d evil
grep -Hr attachedTemplate

javascript in pdf documents


pdfid evil.pdf
pdf-parser evil.pdf | grep -B 10 \/JS
pdf-parser -o <OBJ_ID> -f -w -d output.js evil.pdf

To analyze more complicated code parts dynamically you can use rhino or nodejs to execute the script.

self extracting archives


rar

If there are SRX script commands inside a rar archive unrar will show them.

unrar l archive

adobe flash


swftools

swfdump file.swf
swfdump -a file.swf
swfextract file.swf
swfextract -b 1 -o extracted.bin file.swf

To decompile swf files I use the free java tool jpexs-decompiler.