My objective with this series of articles is to show examples of malicious file analysis that I presented during my lecture on BSides-Vitória 2022.
For this first one, I’ll briefly introduce some crucial topics to ease the understanding of the analysis process.
What’re malicious files?
Some files are more used in attacks
Compressed files
Microsoft Office Documents
PDF files
Microsoft Office Documents
PDF Files
Static Analysis x Dynamic Analysis
Tools
Peframe
Pdf-parser
Peepdf
Oletools
ExifTool
Wireshark
URLscan
urlscan.io – Website scanner for suspicious and malicious URLs.
MXtoolBox
MxToolbox supports global Internet operations by providing free, fast, and accurate network diagnostic and lookup tools. Millions of technology professionals use our tools to help diagnose and resolve a wide range of infrastructure issues.
Example 01 – Static Analysis
Note: All tests were executed in a virtual machine with Linux operating system.
Here I’m going to show in practice how we can use some of the tools above to analyze a malicious file.
We start with ExifTool to try to gather information through metadata.
Attention points:
When I use the rev command to reverse the output of the ExifTool command it is possible to better understand the line, as shown below.
Using the olevba it’s possible to identify malicious macros and their possible actions.
Attention point:
Using the PEframe it’s possible to get a similar result but without the suspicious points shown by olevba.
Now performing dynamic analysis, I opened the file using the LibreOffice package, and the same generated an alert that the macros can contain viruses.
The content of the file induces the user to enable the “enable edition” option.
To according shown above, with some small steps was possible to perform an analysis and have a conclusion that the file is malicious.
See you in the next analysis 🙂
About the author: Zoziel Pinto Freire
Cyber Security Specialist | Forensic Expert | Threat Hunter | BlueTeam | RedTeam | Pentester | Assessment
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Malicious file analysis)
[adrotate banner=”5″]
[adrotate banner=”13″]
Threat actors are exploiting the CVE-2023-22518 flaw in Atlassian servers to deploy a Linux variant of…
Ivanti addressed two critical vulnerabilities in its Avalanche mobile device management (MDM) solution, that can…
Researchers released an exploit code for the actively exploited vulnerability CVE-2024-3400 in Palo Alto Networks'…
Cisco Talos warns of large-scale brute-force attacks against a variety of targets, including VPN services,…
The PuTTY Secure Shell (SSH) and Telnet client are impacted by a critical vulnerability that could…
Researchers warn of a renewed cyber espionage campaign targeting users in South Asia with the…
This website uses cookies.