The title says it all This is a document I shared with my Brucon workshop attendees. I know, this is a PDF document, you’ve to appreciate the. I’m Didier Stevens and work as a senior analyst for NVISO. This includes malware analysis and incident response. I’m a. Microsoft MVP and SANS Internet . Didier Stevens Labs. Training. In , I plan to provide 2 new trainings: analysis of malicious documents (PDF and Office documents) and “Attacking With .

Author: Gardashicage Gardarisar
Country: Kosovo
Language: English (Spanish)
Genre: Video
Published (Last): 7 October 2004
Pages: 197
PDF File Size: 14.92 Mb
ePub File Size: 19.92 Mb
ISBN: 714-6-73623-275-8
Downloads: 62219
Price: Free* [*Free Regsitration Required]
Uploader: Akinolabar

Word does not open it in Protected View: Without mark-of-web, Word will open the document without Protected View.

This PE file can be saved to disk now for reverse-engineering. You are commenting using your Facebook account. Comment by cyberbofh — Monday 27 September What is the first part with shell code used for?

Searching through VirusTotal Intelligence, I found a couple of. Learn how your comment data is processed.

For every video that I post on YouTube, I create a corresponding video blog post https: I know that I can put a book on top of the stack with push or remove the book with pop. I have mwlicious read the. Stempelo Comment by Stempelo — Thursday 26 May 6: RSS feed for comments on this post.


Analyzing A Malicious Document Cleaned By Anti-Virus | Didier Stevens

Additionally you can find an ebook about analyzing malicious PDFs on his […] Pingback by hack. Email Address never made public. NET assembly, the overlay atevens not part of the PE file, but it is part of the serialization meta data. How can I add or delete variables from the heap?

Comment by Didier Stevens maliciuos Thursday 27 January I will often use the MD5 hash, but since I include a link to VirusTotal, you can consult the report and find other hashes like sha in that report. This can be clearly seen using oledir: Well worth a read.

Didier Stevens

I run Tor Windows Expert Bundle without any configuration: Comment by Didier Stevens — Saturday 11 December This can be clearly seen stevenz oledir: Remark the first 4 bytes 5 bytes before the beginning of the PE file: The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names: Here we see a better attempt at social engineering the user into executing the macros.


I run Tor Windows Expert Bundle without any configuration:. Comment by WndSks — Sunday 26 September 9: Here is an example where I use it to copy all the VBA code of a malicious Word document to the clipboard, so that I can paste it into a text editor without having to write it to disk.

I was asked if malware authors stevns abuse autorun. Well worth a read Comment by lavamunky — Sunday 26 September This will give me a Socks listener, that curl can use: The title says it all… This is a document I shared with my Brucon workshop attendees. Thanks for putting it online!

Free Malicious PDF Analysis E-book | Didier Stevens

Shows a healthy sense of humor. This is a document I shared with my Brucon workshop attendees. Then I edit file c: