The title says it all This is a document I shared with my Brucon workshop attendees. I know, this is a PDF document, you’ve to appreciate the. I’m Didier Stevens and work as a senior analyst for NVISO. This includes malware analysis and incident response. I’m a. Microsoft MVP and SANS Internet . Didier Stevens Labs. Training. In , I plan to provide 2 new trainings: analysis of malicious documents (PDF and Office documents) and “Attacking With .

Author: Zulutaur Tushura
Country: Malta
Language: English (Spanish)
Genre: Finance
Published (Last): 24 March 2008
Pages: 155
PDF File Size: 6.19 Mb
ePub File Size: 15.8 Mb
ISBN: 839-8-76468-823-4
Downloads: 12930
Price: Free* [*Free Regsitration Required]
Uploader: Zolozilkree

The anti-virus that cleaned this file, just stevenz 13 bytes in total to orphan the macro streams and change the storage names:. And BTW I just love the irony.

Analyzing A Malicious Document Cleaned By Anti-Virus | Didier Stevens

Pingback by Malicious Documents: RSS feed for comments on this post. A PE file was found, and it starts at position 0x04C7.

Email Address never made public. MalwareQuickpost — Didier Stevens 0: This is the serialized object, and it contains the. Then I launch Privoxy: You are didiee using your Facebook account.


Comment by Didier Stevens — Wednesday 1 November Object 5 contains JavaScript option -o 5 to select object 5, and option -f to decompress the stream with JavaScript:. Additionally you can find an ebook about analyzing malicious PDFs on his […]. If there is more than one instance of string MZ, different cut-expressions must be tried to find the real start of the PE file. Notify me of new comments via email.

Pingback by [PDF] Ebook gratuit: ForensicsMalware — Didier Stevens 0: Great guide for those getting started with PDF analysis. Can I compare it to a three structure? This next mitigation is put into place by Microsoft Word: Recent versions of Windows will open ISO files like a folder, and give you access to the contained files.

Malicious Documents: The Matryoshka Edition | Didier Stevens

If you or your ddiier have a VirusTotal Intelligence subscription, you can download the sample from VirusTotal. You are commenting using your Twitter account. Comment by Nick — Thursday 2 November 5: And how is it structured?


I will often use the MD5 hash, but since I include a link to VirusTotal, you can consult the report and find other hashes like sha in that report.

I extract the content of this ZIP file to folder c: On Diidier, its easy: Fill in your details below or click an icon to log in: Comment by Didier Stevens — Friday 3 November 8: You might have expected that this document would be opened in Protected View first. AnnouncementMalware — Didier Stevens 0: Hence I can cut out the PE file precisely like this: Notify me of new posts malicuous email.

Radare2 can do diffing: Here is an example where I use it to copy all the VBA code of a malicious Word document to the clipboard, so that I can paste dididr into a text editor without having to write it to disk.