Last changed: 08.07.2020

Analyzing malicious documents

metadata

Metadata of documents can contain interesting information like the name of the author.

exiftool -G -s document.pdf
exiftool -pdf:* -s document.pdf

You can also use exiftool to change or clear metadata.

exiftool -pdf:Author="me ;-)" document.pdf
exiftool -all= document.pdf

WARNING: This is reversible as exiftool will only add data to the pdf which shall overwrite the metadata. If you remove this data at the end of the file the old values get restored.

This does not work with open document formats yet. In LibreOffice you can deactivate "Apply user data" and reset the properties in the menu under File -> Properties.

manually parse xml files

xmllint --format docProps/core.xml

visual basic for applications macros

Microsoft office offers to include VBA scripts inside its documents. Many attacks start by sending e-mails to the target containing an office document containing a malicious script.

VBA running executable when opened

Private Sub Document_Open()
    Shell "C:\windows\System32\calc.exe", vbNormalFocus
End Sub

dump macros

olevba evil.docm

dump p-code diassembly

A tool like evil clippy could create office documents where the p-code differs from its embedded macro source code. This way the code that is actually executed differs from the code that is shown e.g. by olevba.

EvilClippy.exe -g evil.docm
EvilClippy.exe -s fakemacro.txt evil.docm

With pcodedmp you can extract the disassembly of the p-code.

pcodedmp evil.docm

find external templates

unzip evil.docm -d evil
grep -Hr attachedTemplate

visual basic script

test.vbs

echo wscript.echo "Hello from VBS" > test.vbs

running vbs

Depending on the command you can ran VBS with a GUI or in a console.

wscript test.vbs
cscript test.vbs

debug vbs with visual studio

Set the following registry key

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug" /v Auto /d 1 /t REG_DWORD

Enable the Just-In-Time debugger in Visual Studio

Tools -> Options -> Debugging -> Just-In-Time -> Script

Run the script with debugging enabled

cscript //X test.vbs

pdf documents

javascript

pdfid evil.pdf
pdf-parser evil.pdf | grep -B 10 \/JS
pdf-parser -o <OBJ_ID> -f -w -d output.js evil.pdf

To analyze more complicated code parts dynamically you can use rhino or nodejs to execute the script.

decrypt

qpdf --password=pass123 --decrypt input.pdf output.pdf

self extracting archives

rar

If there are SRX script commands inside a rar archive unrar will show them.

unrar l archive

packed python binaries

To extract python executables packed with PyInstaller you can use pyinstxtractor and uncompyle6. If python2 was used for building the executable you have to use it for unpacking as well.

python2 pyinstxtractor.py evil_python.exe
python2 uncompyle6.py evil_python.exe_extracted/evil.pyc > src.py

Sometimes you will have to extract Python data from linux ELF binaries with objcopy first.

objcopy --dump-section pydata=pydata.dump evil_python.elf
python2 pyinstxtractor.py pydata.dump

If the python version used for packing differs from your local version you will have do modify the pyc files manually.

strings evil_python.exe | grep -e python.*dll
strings evil_python.elf | grep -e libpython

The corresponding magic can be found in magic.py.

autoit binaries

To extract the original script from an executable you can use autoit-extractor. If the program is heavily obfuscated you can install AutoIt and the AutoIt Script Editor from www.autoitscript.com. You can then insert debug prints like

ConsoleWrite("var=" & $var & @CRLF)

and execute the script.

adobe flash

swftools

swfdump file.swf
swfdump -a file.swf
swfextract file.swf
swfextract -b 1 -o extracted.bin file.swf

To decompile swf files I use the free java tool jpexs-decompiler.