Zeroska
  • 🐱Zeroska - The Bold
  • Computer/Cyber Security
    • ⭐Fresh off the boat - for new Blue Teamer/ SOC Analyst
    • πŸ’€Necromancer (DFIR)
      • πŸ•΅οΈDFIR and DFIR case
        • πŸ—ƒοΈCase Files
          • Misconfiguration 0x01
      • πŸ“”My own DFIR notes
        • The Mark of The Web (MOTW)
        • LNK Shortcut
        • Prefetch, AmCache, ShimCache in Windows
        • Malicious Document (VBA, Office, PDF, ...)
        • SRUM (System Resource Usage Monitor)
        • Volatility notes
        • Understand Logon Session in Windows
        • "Very" Hidden sheets in Excel
        • Hidden Processes
      • πŸ“”Notes
        • Useful Resources
        • Useful Resources DFIR
        • Saved Content (Backup for the OG content get deleted)
          • How to be best SOC analyst ever
    • πŸ§™β€β™‚οΈDefense Witchcraft
      • Data Analysis as a Defender
      • Active Directory
      • Windows Event Logs
        • Authentication (Windows Account Life Cycle Events)
      • MS Exchange
      • Windows
    • πŸ’™My Current Blue Team Operation
      • VLAN Monitoring Template
      • Daily Monitoring Report
      • General Playbook
      • JupyterHub Configuration Guide
      • How to train your Blue Team
    • 🏭ICS/OT
      • Setup ICS/OT Simulation Learning Lab
      • Smart Grids
      • Learning Modbus TCP
      • Learning DNP3
      • Resources/Blogs/Links
    • πŸ₯·Threat Intelligence
      • Small Cyber Threat Intelligence Program
      • Intelligence Analysis [VN]
      • OSINT Information Monitoring
        • Telegram Info-Stealer Monitoring
      • C2 Tracker
      • Fake Website Tracker
      • Dark Web Investigation Attempt
      • Threat Intelligence Quick Win
      • Resources/Blogs/Links
  • πŸ˜’Computer and Technology
    • My Home Lab Setup
    • 🐴ELK Stack
      • Useful Resources
      • ELK Stack - Container - Docker Compose - AWS ECS
      • ECS - Elastic Common Schema
      • Elasticsearch
      • Logstash
      • Troubleshooting and Problems
    • 🐧Linux
      • Setting up good SSH Authentication
      • Configure Auditd and how to leverage it
      • ELF Format
      • Useful Links
    • πŸ“¦Containers
      • Docker container logs is quite big
      • Worth Reading
    • πŸͺ Splunk Learning Experience
      • Splunk Test Lab
      • Data Collection Tier (How to get the data)
      • SC4S Custom Filter For Windows Event Log in Syslog Format (NXLog)
      • Useful Resources
  • Threat Hunting
    • Hunting for Implant
    • Using STRIDE and DREAD
    • 🐳Predators and Preys (Computing)
      • Tracks or Hunting Artifacts
    • πŸ“¦Network Packet Analysis
      • The Basic
      • Tshark | Zeek Copy & Paste
      • Network Analysis Resources
    • Grep | Powershell Search | Regex
    • Hunting Resources
  • 🎡In my remains
    • Choices
    • The Art of Facing Unknown Problems
    • Build the best DFIR team
    • Reverse Engineering - Đồ Γ‘n hΖ°α»›ng ngΓ nh A "Hα»₯t" của tΓ΄i
Powered by GitBook
On this page
  • PDF
  • ISO (Not a Document)

Was this helpful?

  1. Computer/Cyber Security
  2. Necromancer (DFIR)
  3. My own DFIR notes

Malicious Document (VBA, Office, PDF, ...)

Note about how to analyze the Document also tips and tricks

PreviousPrefetch, AmCache, ShimCache in WindowsNextSRUM (System Resource Usage Monitor)

Last updated 2 years ago

Was this helpful?

PDF

Malicious PDFs sent in mass mailing campaigns will often contain embedded executable payloads, which is extracted and executed when the PDF is opened in a vulnerable reader.

Quite a broad topic, but there are some notes that leverage during the analysis

  • First, that PDF can be embedded in JavaScript into the PDF file, which can be searched by the keywords like this /JavaScript and /JS -> if it has these things, It could be a PDF that was made by hand.

  • Second, some objects that are most likely related to malicious documents are /OpenAction, /OpenAction is the thing that will be triggered when you open the PDF.

  • Third, you can tell by objects that contain a lot of encoding /FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode

The JavaScript exploit is the most case you will be dealing with, by heap spraying (Heap spraying is a payload delivery technique. It’s a technique that allows you to take advantage of the fact that the heap is deterministic and allows you to put your shellcode somewhere in the heap, at a predictable address. This would allow you to jump to it reliably.) the attacker can inject the code and case that is related to the TIFF image

ISO (Not a Document)

You can use the by to read and analyze the PDF

πŸ’€
πŸ“”
pdf-parser
DidierStevens
Some of the encoding and compression in PDF