Malicious Document (VBA, Office, PDF, ...)

Note about how to analyze the Document also tips and tricks

PDF

Malicious PDFs sent in mass mailing campaigns will often contain embedded executable payloads, which is extracted and executed when the PDF is opened in a vulnerable reader.

Quite a broad topic, but there are some notes that leverage during the analysis

First, that PDF can be embedded in JavaScript into the PDF file, which can be searched by the keywords like this /JavaScript and /JS -> if it has these things, It could be a PDF that was made by hand.
Second, some objects that are most likely related to malicious documents are /OpenAction, /OpenAction is the thing that will be triggered when you open the PDF.
Third, you can tell by objects that contain a lot of encoding /FlateDecode /ASCII85Decode /LZWDecode /RunLengthDecode
Some of the encoding and compression in PDF

You can use the pdf-parser by DidierStevens to read and analyze the PDF

The JavaScript exploit is the most case you will be dealing with, by heap spraying (Heap spraying is a payload delivery technique. It’s a technique that allows you to take advantage of the fact that the heap is deterministic and allows you to put your shellcode somewhere in the heap, at a predictable address. This would allow you to jump to it reliably.) the attacker can inject the code and case that is related to the TIFF image

ISO (Not a Document)

PreviousPrefetch, AmCache, ShimCache in Windows NextSRUM (System Resource Usage Monitor)

Last updated 2 years ago

Was this helpful?