Malicious document analysis

Use Case

While many people know to be suspicious of executable binary files, office document formats such as PDF, DOC, DOCX, XLSX, and ODT, which are used on a daily basis, are unfortunately known to be weaponized with malicious dynamic content or application exploits.

This subtopic teaches learners how they can triage and analyze potentially malicious documents.

Objectives

After completing this subtopic, practitioners should be able to do the following:

• Set up a REMNux virtual machine for document analysis
• Disassemble and analyze PDF documents
• Disassemble and analyze Microsoft Office documents

Main Section

Many threat actors can use documents with malicious payloads as an attack vector. Read through this page for a case study thereof.

Greater Internet Freedom, an Internews Project, recently created a small course on analyzing malicious documents. Read through all four parts of the course (listed below) in order to complete this subtopic.

Please note that some of the tools included in this guide require Python to be installed on your system. MacOS and Linux systems may have Python installed by default. If you are running Windows, we recommend setting up WSL (Windows Subsystem for Linux) and running the tools from there.

Part 1 - Introduction and VMs - Internews Greater Internet Freedom
Part 2 - PDF Documents
Part 3 - Microsoft Office Documents
Part 4 - Defensive Measures and Next Steps

Skill Check

Complete all of the challenges in the course linked above.

Learning Resources