CanSecWest: Security Masters Dojo Vancouver
Analysis of Malicious DocumentsRegister for March 7th Course
Guillaume Delugre and Jean-Baptiste Bedrune
Office and PDF documents have quickly become a common vector for attackers over the last few years. The main reason is that those formats are widely used, offer scripting capabilities and have been prone to a lot of vulnerabilities.
Nevertheless, the analysis of malicious documents requires both a minimum understanding of the Office and PDF format technical aspects and some knowledge of the tools needed for the analysis.
This course focuses on the practical analysis of malicious PDF and Microsoft Office documents, with the Origami framework and the OffVis tool. By the end of this course, students will be able to detect a malicious Office or PDF document and know how to quickly locate and extract the payload in order to perform a further analysis.
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
Microsoft Office documents analysis:
- Description of Office documents file formats
- Mostly focused on Word
- Document organization (Office 97/2003, Office 2007/2010)
- Study of Office macros
- Detection process of a malicious Office document
- Presentation of the tools of interest
- Study of a document's internals: identifying exploits, locating and extracting the payload
- Analysis of a document source, finding markers to create custom AV signatures
- Analysis of authentic Office exploits cases
PDF documents analysis:
- Description of the PDF file format
- Presentation of PDF documents scripting features and exploitation
- Study of obfuscation techniques using advanced PDF features
- Detection process of a malicious PDF document
- Analysis of a document's internals: locating and extracting the payload with Origami
- Analysis of authentic PDF exploits cases
Who should attend?
- IT security specialists
- Forensics analysts
- Individuals interested in this topic