Malicious documents have become a form of malware that all incident responders need to be able to analyze. This course will teach you how to analyze malicious Adobe PDF and Microsoft Office documents, along with any malicious scripts they contain.
Hiding malware within documents has become one the main methods attackers use to compromise systems. In this course, Performing Malware Analysis on Malicious Documents, you will learn how to look at documents to determine if they contain malware, and if so, what that malware does. First, you will explore how to analyze malicious Adobe PDF and Microsoft Office documents. Next, you will discover how attackers obfuscate scripts within malicious documents, and how you can defeat that obfuscation to determine the script’s purpose. Finally, you will dive into the tools required to perform this analysis safely and quickly. When you’re finished with this course, you will have the skills and knowledge needed to perform malware analysis on malicious documents.
Tyler Hudak has more than 15 years of experience performing malware analysis, computer forensics, and incident response for multiple organizations. He loves sharing the knowledge he has gained on these topics in his presentations and classes!
Course Overview Hi everyone. My name is Tyler Hudak, and welcome to my course, Performing Malware Analysis on Malicious Documents. I'm an incident responder that has a passion for analyzing malware in all its forms and have taught how to perform malware analysis for a number of years to hundreds of people. The number one topic I get requested to teach is analyzing malicious documents and with good reason. Documents are one of the primary ways attackers compromise systems with malware. In this course, we're going to learn how to analyze malicious documents to determine what they are doing to compromise a system. Some of the major topics that we'll cover include how to examine Adobe PDF and Microsoft Office documents, ways to get around malicious script obfuscation techniques, and the tools and techniques you can use to speed up your analysis. By the end of this course, you'll know how to safely determine if a document is malicious and how to figure out what it does to compromise a system. Before beginning the course, you should be familiar with basic malware analysis methodologies as taught in the Malware Analysis Fundamentals Pluralsight course. I hope you'll join me on this journey to learn how to analyze malicious documents with the Performing Malware Analysis on Malicious Documents course, at Pluralsight.
Performing Document Analysis Hey there. This is Tyler Hudak, and welcome back to Performing Malware Analysis on Malicious Documents. In this second module, we're going to talk about some of the analysis techniques that you can perform on any document regardless of what it is. As we go through this course, we'll be walking through a common analysis scenario that you can follow along with. I'll describe what this scenario is in a little while. If you've gone through my Malware Analysis Fundamentals course here on Pluralsight, you'll be familiar with the malware analysis process. We'll spend a little bit discussing it again just as a reminder. Finally, when you analyze documents or any file for that matter, there are a number of techniques you can use to extract information from the file. We'll briefly talk about two techniques that should be familiar to you and introduce two new techniques that you'll find very helpful during document analysis.
Analyzing PDF Documents Hey there. This is Tyler Hudak, and welcome back to Performing Malware Analysis on Malicious Documents. Adobe PDFs are one of the most common documents attackers use to compromise systems. So in this module, we're going to take a deep look into PDFs and learn how we can analyze them. I'm a big proponent of not just learning how to use analysis tools, but also learning what the tools are doing. To do this in document analysis, you also need to understand the underlying structure of the document. So we're going to look at how PDFs are put together so if your tools ever fail you, you can still perform the analysis you need to. As you'll soon see, there are lots of ways attackers can use PDFs to compromise users, as well as hide data within the PDF. We'll talk about what you need to look for to pinpoint where attacks and hidden data may be located at within the document. Finally, we'll discuss the tools you need to use to find what you're looking for in the document and extract it for further analysis.
Analyzing Office Documents Hello, and welcome back to Performing Malware Analysis on Malicious Documents. In this module, we're going to look at the number one document type being used for malicious purposes at this time, Office documents. Office documents are very popular with attackers because the Microsoft Office Suite is so widely used, especially in the corporate world. Because of this, we're going to look at how these documents are formatted and how we can look inside of them. As always, we'll discuss the tools we can use to analyze Office documents and pull out the information we want. Finally, since Office document analysis can be a little more complicated to analyze than other documents, we'll look at the best ways to get information out of the documents the fastest.
Performing VBA Script Analysis Hello, and welcome back to Performing Malware Analysis on Malicious Documents. Microsoft Office documents have a robust programming language, Visual Basic for Applications built into them, which allows the documents to perform some amazing tasks. Unfortunately, attackers use this language to do some amazing malicious things as well. In this module, we're going to look at malicious VBA scripts and learn how to analyze them. VBA macros can contain a lot of code in them. In order to try and speed up your analysis, we're going to talk about a few VBA macros you'll want to focus in on when looking at the malicious code. The techniques we use to analyze malicious scripts are pretty consistent across any script you would analyze, but just to make sure we know them, we'll review them once more. Finally, we'll take everything we've learned on script analysis so far in this course and apply that to analyzing a malicious VBA macro to get around its obfuscation and determine what it does.
Quickly Analyzing Malicious Documents Hello, and welcome back to Performing Malware Analysis on Malicious Documents. Up to this point, we've discussed how to analyze malicious documents and scripts manually. In this module, we'll talk about one more tool that you can use to get right to what a malicious document is doing without having to get around any obfuscation. That tool is the debugger. It may seem like an odd thing to use a debugger to analyze a document, so we'll talk about how scripts and programs interact and why a debugger will help us. There are many aspects of a program or document that a debugger can be used to monitor. We'll look at what you can focus on to get the most information you can. Finally, we'll look at a tool that automates the entire debugging process for us making analyzing malicious documents in this fashion very easy.
Office Document Lab Hello, and welcome back to Performing Malware Analysis on Malicious Documents. In this module, we're going to apply all of the techniques we've learned in this course to analyzing another malicious office document. In the PDF lab module, we analyze another malicious PDF that was given to our incident responder, Kevin, by his CIO, Carla. However, when analyzing it, we found that embedded within the PDF was actually an Office document. We now need to analyze this document to see what it does. If you haven't gone through the PDF lab module to see how this file was discovered, I encourage you to jump back to that module now and then come back when you're done. If you want, pause the video here and analyze the malicious document on your own using the tools and techniques we've been learning through this whole course. Remember, that when analyzing the document, look for any attacks or macros within the document itself. Once you find those, analyze what they're doing so you can determine the next steps the malware will take. The malicious PDF containing the Word document can be found at the link here in a password protected zip file with the password infected. Remember, this is real malware. Take all the necessary precautions to ensure you don't compromise yourself during your analysis.