The title says it all This is a document I shared with my Brucon workshop attendees. I know, this is a PDF document, you’ve to appreciate the. I’m Didier Stevens and work as a senior analyst for NVISO. This includes malware analysis and incident response. I’m a. Microsoft MVP and SANS Internet . Didier Stevens Labs. Training. In , I plan to provide 2 new trainings: analysis of malicious documents (PDF and Office documents) and “Attacking With .

Author: Tojakora Shagul
Country: Guinea-Bissau
Language: English (Spanish)
Genre: Travel
Published (Last): 19 October 2018
Pages: 94
PDF File Size: 15.53 Mb
ePub File Size: 18.10 Mb
ISBN: 468-8-72612-515-8
Downloads: 3351
Price: Free* [*Free Regsitration Required]
Uploader: Shakticage

Didier Stevens

I was looking long time for such a tool! First the user is presented a dialog box:. Comment by Nick — Thursday 2 November 5: Our group is currently working with malicious files, and we are to follow up on the problem of the possibility for viruses in files users consider secure such as pdf, mp3 etc Maliious release have been giving us a lot of information to work with the pdf vulnerabilities, and we would like to thank you for that. Comment by Elias Ringhauge — Sunday 17 October stwvens I run Tor Windows Expert Bundle without any configuration:.


One of the extracted strings contains 3 URLs separated by character V. Building a tree in the heap? Well worth a read. Is it not possible already? Here is how I use it interactively to look into the ISO file.

Malicious Documents: The Matryoshka Edition | Didier Stevens

Then I copy the 2 samples for the config files: Here is the attached. Remark that these documents do not contain exploits: Comment by Didier Stevens — Sunday 26 September 9: Comment by Lucas — Thursday 27 January Comment by Didier Stevens — Wednesday 26 January Lenny Zeltser has a list sevens repositories.

This allows me to pipe the content into other programs, like pecheck.

Double-quote is 0x22, thus I use option -I Why not host a unzipped pdf with a docs. Great guide for those getting started with PDF analysis.

Didier Stevens – 44CON

More info on orphaned streams can be found in this blogpost. The root folder contains one file: Only when clicking OK the default optionwill the.

The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names:. The first 3 strings are not part of the BASE64 encoded object, hence I get rid of them there are no unwanted strings at the end:. Notify me of new posts via email.



The anti-virus that cleaned this file, just maliclous 13 bytes in total to orphan the macro streams and change the storage names: ISO file with autorun. You are commenting using your Facebook account. This will give me a Socks listener, that curl can use:. You are commenting using your Twitter account.

Object 5 contains JavaScript option -o 5 to select object 5, and option -f to decompress the stream with JavaScript:.

I will often use the MD5 hash, but since I include a link to VirusTotal, you can consult the report and find other hashes like sha in that report.

You might have expected that this document would be opened in Protected View first. When this file is opened double-clickedit is mounted as a drive E: