Performing Malware Analysis on Malicious Documents

Course Overview
Hi everyone. My name is Tyler Hudak, and welcome to my course, Performing Malware Analysis on Malicious Documents. I'm an incident responder that has a passion for analyzing malware in all its forms and have taught how to perform malware analysis for a number of years to hundreds of people. The number one topic I get requested to teach is analyzing malicious documents and with good reason. Documents are one of the primary ways attackers compromise systems with malware. In this course, we're going to learn how to analyze malicious documents to determine what they are doing to compromise a system. Some of the major topics that we'll cover include how to examine Adobe PDF and Microsoft Office documents, ways to get around malicious script obfuscation techniques, and the tools and techniques you can use to speed up your analysis. By the end of this course, you'll know how to safely determine if a document is malicious and how to figure out what it does to compromise a system. Before beginning the course, you should be familiar with basic malware analysis methodologies as taught in the Malware Analysis Fundamentals Pluralsight course. I hope you'll join me on this journey to learn how to analyze malicious documents with the Performing Malware Analysis on Malicious Documents course, at Pluralsight.

Performing Document Analysis
Hey there. This is Tyler Hudak, and welcome back to Performing Malware Analysis on Malicious Documents. In this second module, we're going to talk about some of the analysis techniques that you can perform on any document regardless of what it is. As we go through this course, we'll be walking through a common analysis scenario that you can follow along with. I'll describe what this scenario is in a little while. If you've gone through my Malware Analysis Fundamentals course here on Pluralsight, you'll be familiar with the malware analysis process. We'll spend a little bit discussing it again just as a reminder. Finally, when you analyze documents or any file for that matter, there are a number of techniques you can use to extract information from the file. We'll briefly talk about two techniques that should be familiar to you and introduce two new techniques that you'll find very helpful during document analysis.

Analyzing PDF Documents
Hey there. This is Tyler Hudak, and welcome back to Performing Malware Analysis on Malicious Documents. Adobe PDFs are one of the most common documents attackers use to compromise systems. So in this module, we're going to take a deep look into PDFs and learn how we can analyze them. I'm a big proponent of not just learning how to use analysis tools, but also learning what the tools are doing. To do this in document analysis, you also need to understand the underlying structure of the document. So we're going to look at how PDFs are put together so if your tools ever fail you, you can still perform the analysis you need to. As you'll soon see, there are lots of ways attackers can use PDFs to compromise users, as well as hide data within the PDF. We'll talk about what you need to look for to pinpoint where attacks and hidden data may be located at within the document. Finally, we'll discuss the tools you need to use to find what you're looking for in the document and extract it for further analysis.

Performing JavaScript Analysis
Hey there. This is Tyler Hudak, and welcome back to Performing Malware Analysis on Malicious Documents. Attackers need a way to execute code on a system they want to compromise, and when documents are used in their attack, they often need to include malicious scripts to get the deed done. In PDFs, the language of choice is JavaScript. In this module, we're going to take a dive into malicious JavaScript and learn how to analyze it. Before we dive into how to analyze malicious scripts, we're going to review how they're used by attackers and where we can find them. From there, we'll look at the techniques you need to know to analyze malicious JavaScript. Like with everything they do, attackers are going to try to hide what their script is doing using different obfuscation techniques. We'll look at these techniques and how to get around them. The good news is that even though we're talking about JavaScript in this module, most of the techniques we'll use can be applied to any malicious script that has been obfuscated whether it's JavaScript, VBA, PowerShell, or PHP.

PDF Lab
Hello, and welcome back to Performing Malware Analysis on Malicious Documents. In this module, we're going to apply all of the techniques we've learned so far in this course to analyzing another malicious PDF document. Uh-oh! Kevin, our overworked incident responder has been contacted by Carla, his CIO, once again. She has received a suspicious PDF in her email that she needs to make sure is okay to open. It's our job to help Kevin and analyze the PDF for him. We're going to use the PDF and JavaScript analysis tools and techniques we've learned so far in this course to analyze the PDF. Remember to look for any suspicious objects that could contain exploits or malicious code. Once you find any, extract any scripts or malicious files and analyze them to determine the next steps the malware takes. The malicious PDF can be found at the URL here. It will be in a password protected zip file named mal-doc-lab. zip and the PDF will be named important. pdf. As always, the password for the file will be infected. If you want, pause the video here and analyze the malicious PDF on your own using the tools and techniques we've been talking about. When you're done, unpause the video and see how I went through and analyzed the PDF. Remember, this is real malware. Take all the necessary precautions to ensure you don't compromise yourself during analysis.

Analyzing Office Documents
Hello, and welcome back to Performing Malware Analysis on Malicious Documents. In this module, we're going to look at the number one document type being used for malicious purposes at this time, Office documents. Office documents are very popular with attackers because the Microsoft Office Suite is so widely used, especially in the corporate world. Because of this, we're going to look at how these documents are formatted and how we can look inside of them. As always, we'll discuss the tools we can use to analyze Office documents and pull out the information we want. Finally, since Office document analysis can be a little more complicated to analyze than other documents, we'll look at the best ways to get information out of the documents the fastest.

Performing VBA Script Analysis
Hello, and welcome back to Performing Malware Analysis on Malicious Documents. Microsoft Office documents have a robust programming language, Visual Basic for Applications built into them, which allows the documents to perform some amazing tasks. Unfortunately, attackers use this language to do some amazing malicious things as well. In this module, we're going to look at malicious VBA scripts and learn how to analyze them. VBA macros can contain a lot of code in them. In order to try and speed up your analysis, we're going to talk about a few VBA macros you'll want to focus in on when looking at the malicious code. The techniques we use to analyze malicious scripts are pretty consistent across any script you would analyze, but just to make sure we know them, we'll review them once more. Finally, we'll take everything we've learned on script analysis so far in this course and apply that to analyzing a malicious VBA macro to get around its obfuscation and determine what it does.

Quickly Analyzing Malicious Documents
Hello, and welcome back to Performing Malware Analysis on Malicious Documents. Up to this point, we've discussed how to analyze malicious documents and scripts manually. In this module, we'll talk about one more tool that you can use to get right to what a malicious document is doing without having to get around any obfuscation. That tool is the debugger. It may seem like an odd thing to use a debugger to analyze a document, so we'll talk about how scripts and programs interact and why a debugger will help us. There are many aspects of a program or document that a debugger can be used to monitor. We'll look at what you can focus on to get the most information you can. Finally, we'll look at a tool that automates the entire debugging process for us making analyzing malicious documents in this fashion very easy.

Office Document Lab
Hello, and welcome back to Performing Malware Analysis on Malicious Documents. In this module, we're going to apply all of the techniques we've learned in this course to analyzing another malicious office document. In the PDF lab module, we analyze another malicious PDF that was given to our incident responder, Kevin, by his CIO, Carla. However, when analyzing it, we found that embedded within the PDF was actually an Office document. We now need to analyze this document to see what it does. If you haven't gone through the PDF lab module to see how this file was discovered, I encourage you to jump back to that module now and then come back when you're done. If you want, pause the video here and analyze the malicious document on your own using the tools and techniques we've been learning through this whole course. Remember, that when analyzing the document, look for any attacks or macros within the document itself. Once you find those, analyze what they're doing so you can determine the next steps the malware will take. The malicious PDF containing the Word document can be found at the link here in a password protected zip file with the password infected. Remember, this is real malware. Take all the necessary precautions to ensure you don't compromise yourself during your analysis.