The title says it all This is a document I shared with my Brucon workshop attendees. I know, this is a PDF document, you’ve to appreciate the. I’m Didier Stevens and work as a senior analyst for NVISO. This includes malware analysis and incident response. I’m a. Microsoft MVP and SANS Internet . Didier Stevens Labs. Training. In , I plan to provide 2 new trainings: analysis of malicious documents (PDF and Office documents) and “Attacking With .

Author: Midal Malahn
Country: Bosnia & Herzegovina
Language: English (Spanish)
Genre: Education
Published (Last): 10 February 2011
Pages: 56
PDF File Size: 3.54 Mb
ePub File Size: 13.94 Mb
ISBN: 481-1-13939-909-4
Downloads: 99320
Price: Free* [*Free Regsitration Required]
Uploader: Zulukazahn

Remark that these documents do not contain exploits: You are commenting using your WordPress. If you or your organization have a VirusTotal Intelligence subscription, you can download the sample from VirusTotal.

The title says it all… This is a document I shared with my Brucon workshop attendees. Mitigations The first mitigation is in Adobe Reader: When you create a new variable, the JavaScript engine will use the heap to store the variable.

This file is not marked as downloaded from the Internet: I have not read the. I can cut this data out with option -c: But where to get diffdump. If there is more than one instance of maljcious MZ, different cut-expressions must be tried to find the real start of the PE file.


Comment by Lucas — Wednesday 26 January Pingback by PDF security under the microscope: Word does not open it in Protected View: Notify me of new comments via email. Object 5 contains JavaScript option -o 5 to select object 5, and option -f to decompress the didiee with JavaScript: Leave a Reply comments are moderated Cancel reply Enter your comment here If you want, you can also put these options maliccious a configuration file.

Didier Stevens

How can I add or delete variables from the heap? One of the extracted strings contains 3 URLs separated by character V. You are commenting using your WordPress. Here is the attached.

Malware | Didier Stevens

The downloadable file from the previous link is a […]. This can be clearly seen using oledir: Comment malciious Didier Stevens — Friday 3 November 8: Comment by Jasper — Tuesday 25 Didieer 1: I often store malware in password protected ZIP filesthese files can be analyzed too provided you use zipdump. The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names: Is it that i can with this method write data directly into the heap?

Pingback by [PDF] Ebook gratuit: Hence I can cut out the PE file precisely like this: Do you know any books where i can read more about the heap that you can recommend? First the user is presented a dialog box: I was looking long time for such a tool! Object 5 contains JavaScript option -o 5 to select object 5, and option -f to decompress the stream with JavaScript:. Then I launch Privoxy: Remark the first 4 bytes 5 bytes before the beginning of the PE file: Can I write to it directly?


You are commenting using your Twitter account. RSS feed for comments on this post.

You are commenting using your WordPress. You vidier have expected that this document would be opened in Protected View first. And BTW I just love the irony. Read my article in Hack In The Box magazine, maybe this will male things clear.

Shows a healthy sense of humor.

Remark that there is an overlay bytes appended to the end of the PE file stevesn, and that it starts at position 0x Comment by Mark — Saturday 11 December Without mark-of-web, Word will open the document without Protected View. Why not host a unzipped pdf with a docs. Fill in your atevens below or click an icon to log in: Comment by Didier Stevens — Monday 27 September 8: Comment by bartblaze — Sunday 26 September