Module 9
Malicious document analysis
Last updated on: 26 July 2024
Edit this page on GitHubUse Case
While many people know to be suspicious of executable binary files, office document formats such as PDF, DOC, DOCX, XLSX, and ODT, which are used on a daily basis, are unfortunately known to be weaponized with malicious dynamic content or application exploits.
This subtopic teaches learners how they can triage and analyze potentially malicious documents.
Objectives
After completing this subtopic, practitioners should be able to do the following:
- Set up a REMNux virtual machine for document analysis
- Disassemble and analyze PDF documents
- Disassemble and analyze Microsoft Office documents
Main Section
Many threat actors can use documents with malicious payloads as an attack vector. Read through this page for a case study thereof.
Greater Internet Freedom, an Internews Project, recently created a small course on analyzing malicious documents. Read through all four parts of the course (listed below) in order to complete this subtopic.
Please note that some of the tools included in this guide require Python to be installed on your system. MacOS and Linux systems may have Python installed by default. If you are running Windows, we recommend setting up WSL (Windows Subsystem for Linux) and running the tools from there.
Part 1 - Introduction and VMs - Internews Greater Internet Freedom
Part 2 - PDF Documents
Part 3 - Microsoft Office Documents
Part 4 - Defensive Measures and Next Steps
Skill Check
Complete all of the challenges in the course linked above.
Learning Resources
Analysis of malicious documents – Part 01 – Introduction and VMs
FreeIntroduces the topic of malicious document analysis and guides learners on setting up a VM for the task.
Languages: English
Visit SiteAnalysis of malicious documents – Part 02 – PDF documents
FreeCovers tools like text editors and PDF disassemblers for analyzing PDF files and detecting executable scripts.
Languages: English
Visit SiteAnalysis of malicious documents – Part 03 – Microsoft Office documents
FreeExplores the structure of Microsoft Office documents and their potential for embedding active content.
Languages: English
Visit SiteAnalysis of malicious documents – Part 04 – Defensive measures, next steps, and closure
FreeDemonstrates steps and defensive measures when handling documents from unknown or potentially malicious sources.
Languages: English
Visit SiteAnalyzing malicious PDFs
FreeDiscusses various tools for in-depth analysis of malicious PDF files.
Languages: English
Visit SiteHow to analyze malicious Microsoft Office files
FreeProvides insights into detecting malicious payloads in Microsoft Office files and methods for analysis.
Languages: English
Visit SiteCongratulations on finishing Module 9!
Mark the checkbox to confirm your completion and continue to the next module.
Marks the current module as completed and saves the progress for the user.
🎉
Congratulations!
You've completed all modules in this learning path.