The title says it all This is a document I shared with my Brucon workshop attendees. I know, this is a PDF document, you’ve to appreciate the. I’m Didier Stevens and work as a senior analyst for NVISO. This includes malware analysis and incident response. I’m a. Microsoft MVP and SANS Internet . Didier Stevens Labs. Training. In , I plan to provide 2 new trainings: analysis of malicious documents (PDF and Office documents) and “Attacking With .
|Published (Last):||24 March 2008|
|PDF File Size:||6.19 Mb|
|ePub File Size:||15.8 Mb|
|Price:||Free* [*Free Regsitration Required]|
The anti-virus that cleaned this file, just stevenz 13 bytes in total to orphan the macro streams and change the storage names:. And BTW I just love the irony.
Analyzing A Malicious Document Cleaned By Anti-Virus | Didier Stevens
Pingback by Malicious Documents: RSS feed for comments on this post. A PE file was found, and it starts at position 0x04C7.
Email Address never made public. MalwareQuickpost — Didier Stevens 0: This is the serialized object, and it contains the. Then I launch Privoxy: You are didiee using your Facebook account.
Pingback by [PDF] Ebook gratuit: ForensicsMalware — Didier Stevens 0: Great guide for those getting started with PDF analysis. Can I compare it to a three structure? This next mitigation is put into place by Microsoft Word: Recent versions of Windows will open ISO files like a folder, and give you access to the contained files.
Malicious Documents: The Matryoshka Edition | Didier Stevens
If you or your ddiier have a VirusTotal Intelligence subscription, you can download the sample from VirusTotal. You are commenting using your Twitter account. Comment by Nick — Thursday 2 November 5: And how is it structured?
I will often use the MD5 hash, but since I include a link to VirusTotal, you can consult the report and find other hashes like sha in that report.
I extract the content of this ZIP file to folder c: On Diidier, its easy: Fill in your details below or click an icon to log in: Comment by Didier Stevens — Friday 3 November 8: You might have expected that this document would be opened in Protected View first. AnnouncementMalware — Didier Stevens 0: Hence I can cut out the PE file precisely like this: Notify me of new posts malicuous email.
Radare2 can do diffing: Here is an example where I use it to copy all the VBA code of a malicious Word document to the clipboard, so that I can paste dididr into a text editor without having to write it to disk.