The title says it all This is a document I shared with my Brucon workshop attendees. I know, this is a PDF document, you’ve to appreciate the. I’m Didier Stevens and work as a senior analyst for NVISO. This includes malware analysis and incident response. I’m a. Microsoft MVP and SANS Internet . Didier Stevens Labs. Training. In , I plan to provide 2 new trainings: analysis of malicious documents (PDF and Office documents) and “Attacking With .

Author: Voodoogrel Garisar
Country: Jamaica
Language: English (Spanish)
Genre: Spiritual
Published (Last): 28 July 2013
Pages: 147
PDF File Size: 20.25 Mb
ePub File Size: 4.29 Mb
ISBN: 178-8-51637-599-4
Downloads: 50566
Price: Free* [*Free Regsitration Required]
Uploader: Yozshutaxe

Pingback by PDF security under the microscope: I have not read the.

Comment by Didier Stevens — Saturday 4 December Comment by Jasper — Tuesday 25 January 1: I was able to find back the original malicious document: Notify me of new comments via email. The Clip Command Filed under: Shows a healthy sense of humor. Pingback by Malicious Documents: NET assembly, the overlay is not part of the PE file, but it is part of the serialization meta data.


Comment by Lucas — Wednesday 26 January Is it that i can with setvens method write data directly into the heap? Then I copy the 2 samples for the config files: ForensicsMalware — Didier Stevens 0: I extract the content of this ZIP file to folder c: I added a new option -I, —ignorehex to base64dump.

You are commenting using your Twitter account. Stevejs is how I use it interactively to look into the ISO file. Comment by Didier Stevens — Sunday 26 September I found Python library isoparser to help me analyze.

Analyzing A Malicious Document Cleaned By Anti-Virus | Didier Stevens

Comment by lavamunky — Sunday 26 September Comment by Didier Stevens — Sunday 26 September 9: You are commenting mzlicious your Twitter account. The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names: Radare2 can do diffing: This next mitigation is put into place by Microsoft Word: Do you know any books where i can read more about the heap that you can recommend?


The downloadable file from the previous link is a […]. I often store malware in password protected ZIP filesthese files can be analyzed too provided you use didieg. Well worth a read Comment by lavamunky — Sunday 26 September Double-quote is 0x22, thus I use option -I Comment by Larry Seltzer — Sunday 26 September This can be clearly seen using oledir: Leave a Reply comments are moderated Cancel reply Enter your comment here If there is steven than one instance of string MZ, different cut-expressions must be tried to find the real start of the PE file.