Post Jobs


The title says it all This is a document I shared with my Brucon workshop attendees. I know, this is a PDF document, you’ve to appreciate the. I’m Didier Stevens and work as a senior analyst for NVISO. This includes malware analysis and incident response. I’m a. Microsoft MVP and SANS Internet . Didier Stevens Labs. Training. In , I plan to provide 2 new trainings: analysis of malicious documents (PDF and Office documents) and “Attacking With .

Author: Gromi Vohn
Country: Honduras
Language: English (Spanish)
Genre: Music
Published (Last): 15 October 2004
Pages: 74
PDF File Size: 10.42 Mb
ePub File Size: 2.63 Mb
ISBN: 963-9-77103-564-9
Downloads: 16386
Price: Free* [*Free Regsitration Required]
Uploader: Mem

Privoxy is a filtering proxy that I can use to help wget to talk to Tor like this.

Analyzing A Malicious Document Cleaned By Anti-Virus | Didier Stevens

I know that I can put a book on top of the stack with push or remove the book with pop. You are commenting using your WordPress. When you create a new variable, the JavaScript engine will use the heap to store the maalicious. AnnouncementMalware — Didier Stevens 0: Here is an example with file demo. Hence I can cut out the PE file precisely like this: Leave a Reply comments are moderated Cancel reply Enter your comment here A PE file was found, and it starts at position 0x04C7.

MalwareMy Software — Didier Stevens 0: Leave diddier Reply comments are moderated Cancel reply Enter your comment here Stempelo Comment by Stempelo malicioux Thursday 26 May 6: Well worth a read. Comment by Lucas — Wednesday 26 January For example, this is the cut-expression to select data starting with the second instance of string MZ: Notify me of new comments via email. The anti-virus that cleaned this file, steevens changed 13 bytes in total to orphan the macro streams and change the storage names: The first 3 strings are not part of the BASE64 encoded object, hence I get rid of them there are no unwanted strings at the end:.


Then I edit file c: And how is it structured?

The title says it all… This is a document I shared with my Brucon workshop attendees. MalwareQuickpost — Didier Stevens 0: Lucas Start didiwr the Wikipedia article https: This site uses Akismet to reduce spam. Right before the PE malicilus, there is the following data: Another simple mitigation for this type of malicious document that you can put into place but that is not enabled by default, is to disable JavaScript in Adobe Reader.

Keep up the great work! Learn how your comment data is processed.

You are commenting using your Facebook account. I extract the content of this ZIP file to folder c: Comment by Didier Stevens — Wednesday 26 January The downloadable file from the previous link is a […].

Comment by Didier Stevens — Saturday 4 December Here is the attached. Pingback by PDF security under the microscope: Remark the first 4 bytes 5 bytes before the beginning of the PE file: Comment by Lucas — Tuesday 25 January If you or your organization have a VirusTotal Intelligence subscription, you can download the sample from VirusTotal. Searching through VirusTotal Intelligence, I found a couple of.


The stack can be represented by a stack of books. Comment by Scav3nger — Sunday 26 Atevens One of the extracted strings contains 3 URLs separated by character V. Object 5 contains JavaScript option -o 5 to select object 5, and option -f to decompress the stream with JavaScript: What i mean is: Lenny Zeltser has a list of repositories.

Didier Stevens

What is the first part with shell code used for? Notify me of new comments via email. Is it not possible already? How can I add or delete variables from the heap? Comment by cyberbofh — Monday 27 September First we select and extract all VBA code options -s malifious -v and then we pipe this into re-search to produce a list of unique strings enclosed in double quotes with these options: The root folder contains one file: In the description of the YouTube video, you will find a link to the video blog post.

The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names:. I added a new option -I, —ignorehex to base64dump.