9

DYNAMIC ANALYSIS
Dynamic Analysis
๏ Dynamic malware analysis is the process of executing malware in a controlled
environment to observe and understand its behavior, functionality, and potential impact.
๏ Dynamic analysis allows analysts to see the malware "in action" and uncover its
true intentions and capabilities.
๏ Goals of Dynamic Analysis:
✓ Understand the malware's behavior, including what actions it performs on the infected
system
✓ Identify indicators of compromise (IOCs) such as suspicious network connections,
registry changes, or file modifications
✓ Determine the malware's purpose, targets, and potential impact
✓ Develop strategies to detect, contain, and remediate the malware infection
Key Types of Analysis
๏ Static Analysis
✓ Static analysis involves examining the document without actually executing it.
✴ Checking file metadata and properties
✴ Analyzing embedded objects, macros, and scripts
✴ Searching for suspicious strings or indicators
✴ Examining file structure and format
๏ Dynamic Analysis
✓ Dynamic analysis involves running the document in a controlled environment to
observe its behavior:
✴ Executing macros or scripts in a sandbox
✴ Monitoring system changes and network activity
✴ Analyzing memory for hidden malware components
PDF Document Structure
๏ PDF files are designed to be portable and versatile, capable of containing text, images,
multimedia,
and interactive elements.
๏ The basic structure of a PDF document consists of three main components:
✓ Header: This is the first line in a PDF file, indicating the version of the PDF
specification used. It can be viewed using a hex editor or command-line tools like
xxd.
✓ Body: The body contains the actual content of the document, organized into
objects like text streams, images, and multimedia elements. These objects are
typically stored as dictionaries.
 ✓ Cross-Reference Table (xref): This table provides offsets to each object in the
file, allowing for quick access without scanning the entire document. It is located
near the end of the file.
✓ Trailer: The trailer contains metadata about the document, such as its size and
location on disk, and points to the cross-reference table. It also includes an end-of-
file marker (%%EOF).
๏ PDFs support incremental updates, meaning changes can be appended without
rewriting the entire file, which can complicate analysis by introducing multiple versions of
objects.
๏ Common Exploits in PDFs:
✓ JavaScript Embedding: Attackers often embed JavaScript within PDFs to execute
malicious actions when the document is opened.
✓ Launch Actions: These can be used to open applications or execute commands,
potentially running malware on the victim's system.
✓ Obfuscation Techniques: Malicious content may be hidden using obfuscation
methods
like hex encoding.
๏ Analyzing Malicious Documents:
✓ pdfid.py and pdf-parser.py: Tools for identifying and analyzing suspicious
elements within PDF files, such as embedded JavaScript or unusual actions.
✓ peepdf: A tool that parses PDF files to highlight suspicious objects like JavaScript
or embedded files.
Risky PDF Elements
๏ /OpenAction and /AA - Specify scripts/actions to run automatically
๏ /JavaScript and /JS - Can contain malicious JavaScript code
๏ /URI - May link to malicious URLs
๏ /ObjStm - Can hide objects in streams
๏ /RichMedia - Used to embed Flash content

Analysis Techniques in PDF

๏ Use tools like pdfid and pdf-parser to identify suspicious elements
๏ Extract and analyze any embedded JavaScript
๏ Look for obfuscated content using hex encoding
๏ Check for encrypted objects that may hide malicious payloads
๏ Analyze any embedded files or streams
Microsoft Office Document
๏ Microsoft Office documents, such as Word, Excel, and PowerPoint files, are frequently
used by attackers to deliver malware.
๏ Structure of these documents is crucial for analyzing and detecting malicious content.
๏ Microsoft Office documents primarily come in two formats:
 ✓ MS-CFB (Microsoft Compound File Binary Format): Used by older versions of
Office, such as .doc and .xls. This format stores data in a hierarchical structure
similar
to a file system, with streams and storages.
✓ MS-OOXML (Microsoft Office Open XML): Used by newer versions like .docx,
.xlsx,
and .pptx. These are essentially ZIP archives containing XML files that define the
document's content and structure.
Microsoft Office Document - Common Attack Vectors
๏ Malicious Macros
✓ Visual Basic for Applications (VBA) macros can be embedded in Office
documents to execute malicious code.
✓ Macros can be obfuscated to evade detection.
๏ Exploiting Vulnerabilities
✓ CVE-2017-11882 (Equation Editor vulnerability) is frequently exploited
✓ Other common vulnerabilities: CVE-2017-0199, CVE-2015-1641
๏ Dynamic Data Exchange (DDE):
✓ This protocol allows data sharing between applications. Attackers exploit DDE to
execute commands without triggering security warnings.
๏ OLE Objects:
✓ Object Linking and Embedding (OLE) allows embedding of objects within
documents, which can be exploite to hide malicious code.
๏ Template Injection:
✓ Attackers use remote template injection in OOXML files to load malicious code
from external sources
Analysis Techniques
๏ Static Analysis:
✓ Examining document structure and metadata
✓ Extracting and analyzing embedded objects, macros, scripts
✓ Looking for suspicious keywords, URLs, etc.
๏ Dynamic Analysis:
✓ Executing macros in isolated environments
✓ Monitoring for suspicious behaviors
๏ Machine Learning:
✓ Using ML algorithms to classify documents as malicious or benign
✓ Extracting features from document structure and content
๏ Deobfuscation
✓ Malicious macros are often obfuscated to evade detection. Deobfuscation tools
help reveal the true intent of these scripts:
✓ Olevba: Can deobfuscate VBA macros, making it easier to understand their
functionality.
๏ Indicators of Compromise (IoCs)
✓ Identifying IoCs is critical for understanding how a document might compromise
a system:
✓ Look for suspicious keywords or commands in macros.
✓ Identify any external links or embedded objects that may connect to malicious
sites or download additional payload
๏ Comprehensive Analysis
✓ Combining static and dynamic analysis provides a comprehensive understanding
of the document's behavior:
✓ Analyze all extracted content, including embedded executables or scripts.
 ✓ Use multiple tools to cross-verify findings and ensure thoroughness.

Identify PDF and office document vulnerabilities

PDF Document Vulnerabilities
๏ PDFs have become a popular attack vector due to their ubiquity and ability to contain
complex structures.
Some notable vulnerabilities include:
๏ Encryption Vulnerabilities: Researchers have discovered two major security flaws in
PDF encryption:
✓ Direct Exfiltration: Takes advantage of partially unencrypted sections in PDF
files, allowing attacker to embed malicious code.
✓ Cipher Block Chaining Gadgets: Enables attackers to modify plaintext in
encrypted PDFs to execute malicious code.
๏ Code Execution Vulnerabilities: PDFs can contain embedded code that executes when
the file is opened.
For example, CVE-2024-41869 is a use-after-free vulnerability that could lead to remote
code execution when opening a specially crafted PDF.
๏ Information Disclosure: Some vulnerabilities, like CVE-2024-45112, can lead to
information leakage, potentially exposing sensitive data.
Common vector for malware delivery
✦ Embedded Scripts and Code: PDFs can contain embedded scripts, such as JavaScript,
which can be used to execute malicious actions when the document is opened. Attackers
often hide these scripts within PDF streams, making detection challenging.
✦ Exploiting Software Vulnerabilities: Many PDF readers have vulnerabilities that can be
exploited by specially crafted PDF files. For example, Adobe Acrobat has had multiple
vulnerabilities that allow remote code execution if not patched promptly.
✦ Exploiting Reader Vulnerabilities: Attackers often exploit vulnerabilities in PDF readers,
such as Adobe Acrobat Reader, to execute arbitrary code. For example, CVE-2021-28550
was a zero-day vulnerability that allowed attackers to take control of a user's computer.
✦ Phishing Schemes: PDFs are frequently used in phishing attacks, where
malicious links within the document lead users to fake websites designed to steal
credentials or deliver malware.
✦ Social Engineering: Cybercriminals often use social engineering tactics to trick
users into opening malicious PDFs. This might involve sending emails with
PDFs that appear to be legitimate documents from trusted sources.
Microsoft Office Document Vulnerabilities
๏ Microsoft Office documents are also frequently targeted by attackers.
๏ Vulnerabilities include:
✦ CVE-2024-21413: A critical vulnerability in the Office suite that allows attackers
to bypass the Protected View feature and execute malicious code. This flaw can be
exploited through:
✴ Maliciously crafted Office documents
✴ The Preview Pane in Office applications
✴ Specially constructed links (Moniker Links)
✦ CVE-2024-38200: An information disclosure vulnerability that could expose
NTLM hashes to remote attackers, potentially leading to credential theft and
further system compromise.
๏ Microsoft Office documents, including Word, Excel, and PowerPoint files, are also
frequently used to deliver malware.
✦ Macros and Embedded Code: Office documents can contain macros, which are
scripts that automate tasks. These macros can be maliciously crafted to execute
 harmful actions when enabled by the user. Attackers often obfuscate macro code
to
evade detection.
✦ Exploiting Document Properties: Vulnerabilities such as CVE-2024-38200 involve
improper handling of document properties, leading to exposure of sensitive
information. This highlights the importance of keeping software updated to patch
known vulnerabilities.
✦ Remote Template Injection: Some attacks involve injecting a malicious template
file from a remote location when a document is opened. This technique can lead
to the execution of malware without directly embedding it in the document itself.
✦ Legacy Code Issues: Many vulnerabilities stem from outdated code within Office
applications. For instance, CVE-2017-11882 exploits a memory corruption flaw in
the equation editor, allowing attackers to execute code without user interaction.
✦ Embedded Links: Similar to PDFs, Office documents can contain links that
redirect users to malicious sites or download malware.
Mitigation Strategies
๏ Regular Updates: Keep all software, including PDF readers and Office applications, up-
todate with the latest security patches. This reduces the risk of exploitation through
known vulnerabilities.
๏ Disable Macros by Default: Configure Office applications to disable macros unless
explicitly needed. Educate users about the risks of enabling macros from untrusted
sources.
๏ Security Awareness Training: Train employees to recognize phishing attempts and
handle documents safely. Awareness can prevent many social engineering attacks.
๏ Use Security Tools: Implement security solutions that can detect and block malicious
documents before they reach end-users. Tools like antivirus software and email filters can
help mitigate risks.
Analysis of suspicious websites
๏ Analyzing suspicious websites is a crucial skill for identifying potential threats and
protecting your personal information.
๏ Cybercriminals often create websites that mimic legitimate ones to deceive users into
downloading malware or revealing sensitive information.
๏ Initial Triage
๏ When first encountering a potentially malicious website, start with these steps:
✓ URL Analysis: Carefully examine the URL structure. Look for misspellings,
unusual subdomains, or non-standard TLDs that may indicate a phishing
attempt.
✓ WHOIS Lookup: Check the domain registration details. Recently registered
domains or those with hidden ownership information can be red flags.
✓ Visual Inspection: If safe to do so, visit the site in a secure sandbox
environment. Look for signs of poor design, broken images, or inconsistent
branding that may suggest a fraudulent site.
๏ Automated Analysis Tools
✓ VirusTotal: This popular platform scans URLs using multiple antivirus
engines and provides a comprehensive report on potential threats.
✓ URLscan.io: Offers real-time analysis of websites, including screenshots,
DOM content, and server information.
✓ Hybrid Analysis: Provides in-depth static and dynamic analysis of
websites and associated files.
๏ Network Traffic Analysis
๏ Analyzing the network traffic generated by a suspicious website can reveal
malicious behavior:
✓ Wireshark: Use this powerful tool to capture and inspect network packets,
 looking for unusual connections or data exfiltration attempts.
✓ Fiddler: This web debugging proxy can intercept and analyze HTTP/
HTTPS traffic, helping identify malicious requests or responses
๏ Sandbox Environments
๏ Running suspicious websites in isolated environments allows for safe
analysis:
✓ Cuckoo Sandbox: An open-source automated malware analysis system
that can execute and analyze websites in a controlled environment.
✓ Any.Run: Provides an interactive malware analysis service where you can
observe website behavior in real-time.
๏ Advanced Techniques
✓ Code Inspection: If possible, examine the website's source code for
obfuscated scripts or hidden iframes that may indicate malicious intent.
✓ SSL/TLS Certificate Analysis: Check the site's SSL certificate for validity
and proper implementation.
✓ Reputation Checks: Use services like Google Safe Browsing or PhishTank
to check if the site has been previously reported as malicious.
Key Indicators of Malicious Websites
๏ HTTP vs. HTTPS: Legitimate websites typically use HTTPS, which indicates a secure
connection through SSL encryption. Websites using only HTTP are less secure and
more susceptible to data interception.
๏ Poor Design and Errors: Many unsafe websites have poor design, with spelling errors,
grammatical mistakes, or low-quality images. These elements suggest a lack of
professionalism and attention to detail.
๏ Suspicious URLs: Malicious sites may have URLs that closely resemble those of
legitimate sites but with slight alterations, such as misspellings or additional characters
(e.g., "Amazon1" instead of "Amazon").
๏ Too-Good-To-Be-True Offers: Offers that seem too generous or unrealistic are often
bait to lure users into scams or phishing attacks.
๏ Unusual Requests: Be wary of websites asking for unnecessary downloads, app
installations, or personal information without a clear reason. These requests often aim
to install malware or harvest data.
๏ Fake Security Alerts: Some sites display fake security alerts claiming your system is at
risk and prompting you to download a "solution." These are typically scams designed
to install malware.
๏ Unusual Pop-ups or Ads: Excessive pop-ups or ads requesting sensitive information
are often signs of malicious intent.
๏ Lack of Contact Information: Legitimate sites typically provide contact details and
privacy policies.
Tools for Analyzing Suspicious Websites
๏ VirusTotal: This online service analyzes URLs to detect malware and other malicious
content using multiple antivirus engines.
๏ urlscan.io: A free service that scans websites and provides detailed information about
their structure, including any suspicious elements.
๏ Google Safe Browsing: Checks the current status of a website to determine if it is safe
to visit.
๏ PhishTank: A community-driven database that checks URLs against known phishing
sites.
๏ Fiddler: Acts as a web proxy to capture HTTP/HTTPS traffic, useful for identifying
hardcoded domains in malicious documents.
Techniques for Detecting Malicious Websites
๏ Heuristic Analysis: This involves examining the behavior of a website to
detect anomalies that may indicate malicious activity.
๏ Machine Learning Models: These models analyze various features of URLs,
such as lexical patterns and domain age, to classify them as benign or
malicious.
๏ DNS Analysis: By analyzing DNS data, you can identify unusual patterns or
sudden spikes in queries for unknown domains, which may indicate malicious
activity

Mitigation Strategies
๏ Regular Vulnerability Scans:
✓ Conduct scans of internal and external networks to identify and mitigate
vulnerabilities.
๏ Block Known Bad Domains:
✓ Use web content filtering to block malicious sites by category.
๏ Educate Users:
✓ Train users to be cautious of downloads from third-party sites and to
recognize signs of malicious websites