The title says it all This is a document I shared with my Brucon workshop attendees. I know, this is a PDF document, you’ve to appreciate the. I’m Didier Stevens and work as a senior analyst for NVISO. This includes malware analysis and incident response. I’m a. Microsoft MVP and SANS Internet . Didier Stevens Labs. Training. In , I plan to provide 2 new trainings: analysis of malicious documents (PDF and Office documents) and “Attacking With .

Author: Tesho Dalkree
Country: Lebanon
Language: English (Spanish)
Genre: History
Published (Last): 11 October 2017
Pages: 229
PDF File Size: 6.14 Mb
ePub File Size: 17.6 Mb
ISBN: 576-1-72324-123-3
Downloads: 98876
Price: Free* [*Free Regsitration Required]
Uploader: Dura

Pingback by [PDF] Ebook gratuit: This will give me a Socks listener, that curl can use:. Email Address never made public. Comment by Elias Ringhauge — Sunday 17 October Comment by lavamunky — Sunday 26 September Why not host a unzipped pdf with a docs.

You are commenting using your WordPress. This PE file can be saved to disk now for reverse-engineering.

Remark the first 4 bytes 5 bytes before the beginning of the PE file: You are commenting using your WordPress. The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names: If there is more than one instance of string MZ, different cut-expressions must be tried to find the real start of the PE file.


I extract the content of this ZIP file to folder c: AnnouncementMalware — Didier Stevens 0: And I can also retrieve all the content to calculate ,alicious MD5 hash: Fill in your details below or click an icon to log in: Comment by Jasper — Tuesday 25 January 1: Only when clicking OK the default optionwill the.

I went to the workshop on Friday and it was really good one of the best bits of brucon. What is the first part with shell code used for?

Didier Stevens – 44CON

Can I write to it directly? I create an iso object from an. Thanks for your release Didier. Comment by Didier Stevens — Friday 3 November 8: The first 3 strings are not part didirr the BASE64 encoded object, hence I get rid of them there are no unwanted strings at the end: Leave a Reply comments are moderated Cancel reply Enter your comment here Searching through VirusTotal Intelligence, I found a couple of. I sometimes retrieve malware over Tor, just as diddier simple trick to use another IP address than my own.

Is it that i can with this method write data directly into the heap? The downloadable file from the previous link is a […].

Analyzing A Malicious Document Cleaned By Anti-Virus | Didier Stevens

First the user is presented a dialog box:. NET assembly I want to analyze. Remark that the maldoc authors use some weak social engineering to entice the user to click OK: Do you know any books where i can read more about the dirier that you can recommend?

  LEY 29703 PDF

Anyways, please try again, I just tested. The root folder contains one file: The anti-virus that cleaned this file, just changed didler bytes in total to orphan the macro streams and change the storage names: Jasper 0x is a hexadecimal number.

Didier Stevens

More info on orphaned streams can be found in this blogpost. You are commenting using your Twitter account. Learn how your comment data is processed. What i mean is: The Clip Command Filed under: Here we see a better attempt at social engineering the user into executing the macros. The first mitigation is in Adobe Reader: Didiier next mitigation is put into place by Microsoft Word: Word does not open it in Protected View: Remark that these documents do not contain exploits: MalwareQuickpost — Didier Stevens I was able to find back the original malicious document: