The title says it all This is a document I shared with my Brucon workshop attendees. I know, this is a PDF document, you’ve to appreciate the. I’m Didier Stevens and work as a senior analyst for NVISO. This includes malware analysis and incident response. I’m a. Microsoft MVP and SANS Internet . Didier Stevens Labs. Training. In , I plan to provide 2 new trainings: analysis of malicious documents (PDF and Office documents) and “Attacking With .

Author: Fenrilkis Kazrazahn
Country: Brazil
Language: English (Spanish)
Genre: Technology
Published (Last): 23 November 2009
Pages: 85
PDF File Size: 1.16 Mb
ePub File Size: 5.29 Mb
ISBN: 497-9-85031-616-8
Downloads: 62776
Price: Free* [*Free Regsitration Required]
Uploader: Vozragore

Comment by Didier Stevens — Sunday 26 September 9: How can I add or delete variables from the heap?

First we select and extract all VBA code options -s a -v and then we pipe this into re-search to produce a list of unique strings enclosed in double quotes with these options: Comment by Didier Stevens — Wednesday 1 November Thanks for putting it online! You are commenting using your WordPress. MalwareQuickpost — Didier Stevens Here we see a better attempt at social engineering the user into executing the macros.


Notify me of new posts via email. This will give me a Socks listener, that curl can use:. Comment by Stempelo — Thursday 26 May 6: Then I edit file c: Comment by Russell Holloway — Wednesday 29 September NET serialization format specification, but I can make an educated guess.

Didier Stevens

And BTW I just love the irony. Another simple mitigation for this type of malicious document that cidier can put into place but that is not enabled by default, is to disable JavaScript in Adobe Reader. I can cut this data out with option -c: I create an iso object from an.

Remark the first 4 bytes 5 bytes before the beginning of the PE file: Great guide for those getting started kalicious PDF analysis. This site uses Akismet to reduce spam.

Lucas Start with the Wikipedia article https: For example, this is the cut-expression to select data starting with the second instance of string MZ: The first mitigation is in Adobe Reader: Comment by Didier Stevens — Sunday 26 September This site uses Akismet to reduce spam.


Only when clicking OK the default optionwill the.

Comment by Scav3nger — Sunday 26 September Comment by Mark — Saturday 11 December Notify me of new posts via email. This is the serialized object, and it contains the.

MalwareMy Software — Didier Stevens didirr What i mean is: Learn how your comment data is processed.

Didier Stevens – 44CON

Email Address never made public. And then I can use wget like this: Object 5 contains JavaScript option -o 5 to select object 5, and option -f to decompress the stream with JavaScript:.

One of the extracted strings contains 3 URLs separated by character V. Any easter eggs in the PDF? I often store malware in password protected ZIP filesthese files can be analyzed too provided you use zipdump.

But where to get diffdump.