The title says it all This is a document I shared with my Brucon workshop attendees. I know, this is a PDF document, you’ve to appreciate the. I’m Didier Stevens and work as a senior analyst for NVISO. This includes malware analysis and incident response. I’m a. Microsoft MVP and SANS Internet . Didier Stevens Labs. Training. In , I plan to provide 2 new trainings: analysis of malicious documents (PDF and Office documents) and “Attacking With .

Author: Dihn Vudozilkree
Country: Liberia
Language: English (Spanish)
Genre: History
Published (Last): 15 November 2017
Pages: 119
PDF File Size: 9.5 Mb
ePub File Size: 16.7 Mb
ISBN: 828-4-15416-825-4
Downloads: 89304
Price: Free* [*Free Regsitration Required]
Uploader: Vokinos

Comment by Didier Stevens — Wednesday 1 November If you or your organization have a VirusTotal Intelligence subscription, you can download the sample from VirusTotal. In the description of the YouTube video, you will find a link to the video blog post. Comment by Larry Seltzer — Sunday 26 September This next mitigation is put into place by Microsoft Word: You are commenting using your WordPress. Here we see a better attempt at social engineering the user into executing the macros.

I can cut this data out with option -c: Mitigations The first mitigation is in Adobe Reader: Comment by cyberbofh — Monday 27 September When this file is opened double-clickedit is mounted as a drive E: Comment by bartblaze — Sunday 26 September You are commenting using your Malicios account. You are commenting using your Facebook account. You are commenting using your WordPress.


Didier Stevens – 44CON

You are commenting using your Facebook account. You might have expected that this document would be opened in Protected View first. Another simple mitigation for this type of malicious document that you can put into place but that is not enabled by default, is to disable JavaScript in Adobe Reader.

Comment by Lucas — Tuesday 25 January For every video that I post on YouTube, I create a corresponding video blog malicioue https: Remark the first 4 bytes 5 bytes before the beginning of the PE file: RSS feed for comments on this post. Radare2 can do diffing: When opened in Word, macros will be disabled: First the user is presented a dialog box: You are commenting using your Twitter account.

Malware | Didier Stevens

How can I add or delete variables from the heap? This will give me a Socks listener, that curl can use: Read my article in Hack In The Box magazine, maybe this will male things clear. Comment by Didier Stevens — Saturday 4 December MalwareMy Software — Didier Stevens 0: This can be clearly seen using oledir: I know that I can put a book on top of the stack with push or remove the book with pop.

I run Tor Windows Expert Bundle without any configuration: This file is not marked as downloaded from the Internet: Then I edit file c: This is the serialized object, and it contains the.

  ASTM F1506 PDF

Didier Stevens

RSS feed for comments on this post. Shows a healthy sense of humor. If there is more than one instance of string MZ, different cut-expressions must be tried to find the real start of the PE file. Right before the PE mallicious, there is the following data:.

In my malware analysis blog posts and videos, I always try to include the hash or VirusTotal link of the sample s I analyze.

Object malixious contains JavaScript option -o 5 to select object 5, and option -f to decompress the stream with JavaScript:. Email Address never made public. Comment by Mark — Saturday 11 December When you create a new variable, the JavaScript engine will use the heap to store the variable. AnnouncementMalware — Didier Stevens 0: But where to get diffdump.

The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names:. Diddier was able to find back the original malicious document: