Scribd
Upload
140 views7 pages

Analyzing Malicious Documents Cheat Sheet

Analyzing Malicious Documents Cheat Sheet

Uploaded by

Sandro Melo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
140 views7 pages

Analyzing Malicious Documents Cheat Sheet

Analyzing Malicious Documents Cheat Sheet

Uploaded by

Sandro Melo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

 LNNY ZLTSR (HTTPS://ZLTSR.

COM/)  
(https://twitt
(http

Analzing Malicious
Documents Cheat Sheet

MOR ON

Information Securit
(https://zeltser.com/information-
securit)

Malicious Software
(https://zeltser.com/malicious-
This cheat sheet outlines tips and tools for analzing malicious docu- software)
ments, such as Microsoft O ce, RTF and Adoe Acroat (PDF) les. To
print it, use the one-page PDF (/media/docs/analzing-malicious-docu-
ment- les.pdf) version; ou can also edit the Word (/media/docs/analz-
ing-malicious-document- les.docx) version to customize it for ou own The SANS malware analsis course

needs. (https://sans.org/for610) I’ve co-au-


thored explains the techniques

General Approach to Document Analsis summarized in this cheat sheet and


covers man other reverse-engi-
1. xamine the document for anomalies, such as risk tags, scripts, or neering topics.
other anomalous aspects.
If ou like this reference, take a look
2. Locate emedded code, such as shellcode, VA macros, JavaScript at m other IT and securit cheat
or other suspicious ojects. sheets (/cheat-sheets/).
3. xtract suspicious code or oject from the le.
4. If relevant, deofuscate and examine JavaScript or macro code. SHAR 

5. If relevant, disassemle and/or deug shellcode.


6. Understand the next steps in the infection chain.

Microsoft O ce Format Notes


inar document les supported  Microsoft O ce use the OL2
(a.k.a. Structured Storage) format.
SRP streams in OL2 documents sometimes store a cached version
of earlier macro code (https://digital-
forensics.sans.org/log/2014/06/05/srp-streams-in-o ce-
documents-reveal-earlier-macros).
OOXML documents (.docx, .xlsm, etc.) supported  MS O ce use
zip compression to store contents.
Macros emedded in OOXML les are stored inside the OL2 inar
le, which is within the zip archive.
RTF documents don’t support macros, ut can contain other les
emedded as OL1 ojects.

Useful MS O ce File Analsis Commands


unzip le.pptx xtract
contents of
OOXML le
le.pptx.

oleva.p Locate and


(https://githu.com/decalage2/oletools/wiki/oleva) extract
le.xlsm macros from
oleva.p le.doc le.xlsm or
le.doc.

oledump.p List all OL2


(https://log.didierstevens.com/programs/oledump- streams
p/) le.xls present in
le.xls.

oledump.p -s 3 -v le.xls xtract


macros
stored inside
stream 3 in
le.xls.

 oledump.p le.xls -p plugin_http_heuristics  Find


ofuscated
URLs in
le.xls
macros.
 mso ce-crpt (https://githu.com/herumi/mso ce)  Decrpt
-d -p pass le.docm le2.docm OOXML le
le.docm
using
password
pass to
create
le2.docm.

 pcodedmp.p  Disassemle
(https://githu.com/ontchev/pcodedmp) -d le.doc p-code macro
code from
le.doc.

 rtfoj.p (https://www.decalage.info/pthon/rtfoj)  xtract


le.rtf ojects
emedded
into RTF-
formatted
le.rtf.

 rtfdump.p  List groups


(https://log.didierstevens.com/2016/08/02/rtfdump- and structure
update-and-videos/) le.rtf of RTF-
formatted
le.rtf.

 rtfdump.p le.rtf -f O  List groups in


le.rtf that
enclose an
oject.

 rtfdump.p le.rtf -s 5 -H -d > out.in  xtract


oject from
group 5 and
save it into
out.in.

 pxswf.p  xtract Flash


(https://www.decalage.info/pthon/pxswf) -xo (SWF) ojects
le.doc from OL2
le le.doc.
Risk PDF Format Tags
/OpenAction and /AA specif the script or action to run automaticall.
/JavaScript and /JS specif JavaScript to run.
/GoTo changes the view to a speci ed destination within the PDF or
in another PDF le.
/Launch can launch a program or open a document.
/URI accesses a resource  its URL.
/SumitForm and /GoToR can send data to URL.
/RichMedia can e used to emed Flash in a PDF.
/OjStm can hide ojects inside an Oject Stream.
e mindful of ofuscation with hex codes, such as /JavaScript vs.
/J#61vaScript. (See examples
(https://log.didierstevens.com/2008/04/29/pdf-let-me-count-the-
was/).)

Useful PDF File Analsis Commands


pd d.p Scan le.pdf for
(https://log.didierstevens.com/programs/pdf- risk kewords and
tools/) le.pdf dictionar entries.

peepdf.p (http://eternal- xamine le.pdf for


todo.com/tools/peepdf-pdf-analsis-tool) - risk tags and
le.pdf malformed ojects.

pdf-parser.p Displa contents of


(https://log.didierstevens.com/programs/pdf- oject id in le.pdf.
tools/) --oject id le.pdf Add “-- lter --raw” to
decode the oject’s
stream.

qpdf (http://qpdf.sourceforge.net/) -- Decrpt in le.pdf


password=pass --decrpt in le.pdf out le.pdf using password
pass to create
out le.pdf.

swf_mastah.p (https://zeltser.com/extracting- xtract Flash (SWF)


swf-from-pdf-using-swf-mastah/) -f le.pdf -o ojects from le.pdf
out into the out
director.
Shellcode and Other Analsis Commands
xorsearch Locate
(https://log.didierstevens.com/2014/09/29/update- shellcode
xorsearch-with-shellcode-detector/) -W -d 3 le.in patterns inside
the inar le
le.in.

scdg (http://sandsprite.com/logs/index.php? mulate


uid=7&pid=152) le.in /fo 0x2 execution of
shellcode in
le.in starting
at o set 0x2.

shellcode2exe (https://zeltser.com/convert- Generate P


shellcode-to-asseml/) le.in executale
le.exe that
runs shellcode
from le.in.

jmp2it (https://digital- xecute


forensics.sans.org/log/2014/12/30/taking-control- shellcode in
of-the-instruction-pointer/) le.in 0x2 le le.in
starting at
o set 0x2.

ase64dump.p List ase64-


(https://log.didierstevens.com/2017/07/02/update- encoded
ase64dump-p-version-0-0-7/) le.txt strings present
in le le.txt.

ase64dump.p le.txt -e u -s 2 -d >  le.in Convert


ackslash
Unicode-
encoded
ase64 string
#2 from le.txt
as le.in le.

 Additional Document Analsis Tools


SpiderMonke (https://developer.mozilla.org/en-
US/docs/Mozilla/Projects/SpiderMonke), V8
(https://isc.sans.edu/diar/V8+as+an+Alternative+to+SpiderMonke+for+JavaScript+Deofuscation/12157)and
ox-js (https://githu.com/CapacitorSet/ox-js) help deofuscate
JavaScript that ou extract from document les.
PDF Stream Dumper (https://zeltser.com/pdf-stream-dumper-
malicious- le-analsis/) comines several PDF analsis utilities under
a single graphical user interface.
ViperMonke (https://githu.com/decalage2/ViperMonke) emulates
VA macro execution.
VirusTotal (https://www.virustotal.com/) and some automated analsis
sandoxes (/automated-malware-analsis/) can analze aspects of
malicious document les.
Hachoir-urwid (https://itucket.org/hapo/hachoir/wiki/hachoir-
urwid) can displa OL2 stream contents.
101 ditor (https://www.sweetscape.com/010editor/) (commercial) and
FileInsight (https://www.mcafee.com/us/downloads/free-
tools/ leinsight.aspx) hex editors can parse and edit OL structures.
xeFilter (http://www.decalage.info/exe lter) can lter scripts from
O ce and PDF les.
RMnux (https://remnux.org/) distro includes man of the free
document analsis tools mentioned aove.

Post-Scriptum
Special thanks for feedack to Pedro ueno
(http://handlers.dshield.org/pueno/) and Didier Stevens (http://log.di-
dierstevens.com/). If ou have suggestions for improving this cheat
sheet, please let me know (/contact/). Creative Commons v3 “Attriu-
tion” License (http://creativecommons.org/licenses//3.0/) for this cheat
sheet version 3.0.

Updated Septemer 6, 2017

DID YOU LIK THIS?

Follow me for more of the good stu .


Aout the Author

Lenn Zeltser is a seasoned usiness and technolog leader with extensive


information securit experience. He uilds innovative endpoint defense
solutions as VP of Products at Minerva Las (https://www.minerva-las.com/).
He also trains incident response and digital forensics professionals at SANS
Institute (https://sans.org/). Lenn frequentl speaks at industr events, writes
articles and has co-authored ooks. He has earned the prestigious GIAC
Securit xpert designation, has an MA from MIT Sloan and a Computer
Science degree from the Universit of Pennslvania.

Learn more (https://zeltser.com/aout)

Copright © 1995-2017 Lenn Zeltser. All rights reserved.

You might also like