Malicious Document Analysis [HITB+ CYBERWEEK 2021]

In the last few years, malicious documents have been used as the main malware’s vector of infection in 70% percent of incidents, so they became the main weapon to spread malware and starting attacks against companies and government around the world. Different from common perception, this kind of artifact can be complicated to be analyzed because they usually try to evading detection and can turn analysis harder task through techniques such as obfuscation, shellcoding and other evil tricks to evade sandbox detection, being that its common usage is to download binaries from Internet to proceed with the infection chain. Understanding how to analyze them and learning their goals are usually important to trace how criminals could try to compromise company’s defenses.

$2,299.00

Duration

2 days

Delivery Method

virtual

Level

intermediate

Seats Available

20

ATTEND ONLINE: Virtual via Zoom and LMS

DATE: 22-23 November 2021

TIME: 09:00 to 17:00 GST/GMT+4

Date Day Time Duration
22 Nov Monday 0900-17:00 GST/GMT+4 8 Hours
23 Nov Tuesday 0900-17:00 GST/GMT+4 8 Hours

 


This course explains through practical and real examples how to analyze malicious documents, which are the main vector of infection by malware in the current days and, different of the common intuition, can be very hard to analyze. During the class, students will learn how to perform static and dynamic analysis of different types of documents such as pdf, doc/docx, xls/xlsx, rtf, msi, and so on, which adversaries use many anti-forensic tricks such as obfuscated shellcodes, embedded documents, obfuscated scripts, and many other tactics.

The class (almost 100% practical) is focused and guided by practical examples, where the instructor analyzes real malicious documents in real time followed by students at same time.

The course is composed by the following topics:

1. Introduction

2. Creating a lab and fundamental concepts

3. Analyzing Malicious PDF Documents.

4. Analyzing Malicious MS Office Documents

5. Analyzing Malicious MS Office Documents – Dynamic Analysis

6. Miscellaneous

Students will analyze, in real time, several document (and other formats) files for two days, which makes this course an almost 100% hands-on course!

Why You Should Take This Course

In the last few years, malicious documents have been used as the main malware’s vector of infection in 70% percent of incidents, so they became the main weapon to spread malware and starting attacks against companies and government around the world. Different from common perception, this kind of artifact can be complicated to be analyzed because they usually try to evading detection and can turn analysis harder task through techniques such as obfuscation, shellcoding and other evil tricks to evade sandbox detection, being that its common usage is to download binaries from Internet to proceed with the infection chain. Understanding how to analyze them and learning their goals are usually important to trace how criminals could try to compromise company’s defenses.

Who Should Attend

Basically, any professional working as threat hunter, system administrators, digital forensic investigators, and beginners in malware analysis and/or reverse engineering.

Key Learning Objectives

  • Learn the mechanism of malicious documents analysis using real and difficult malicious samples.

  • Learn real tricks used by adversaries.

  • Learn how to defeat anti-forensic tactics such as obfuscated scripts, encoded shellcodes, malware samples using multiple packing stages and so on.
  • Prerequisite Knowledge

    Windows and Windows administration and programming.

    Hardware / Software Requirements

    1. Laptop with two guest virtual machines on VMware or VirtualBox): the first one a Windows (7 or 8 or 10 — with Microsoft Office 2010 or 2016 installed) and the second one with Ubuntu 18/20 or  Kali Linux (newest version). Disable any kind of antivirus or Windows Defender on Windows virtual machines.  A Windows evaluation version can be downloaded here: https://www.microsoft.com/en-us/evalcenter/evaluate-windows
    2. Each virtual machine should have 2 GB RAM, with shared folder feature enabled.
    3. USB should be working on both virtual machines.
    4. (Optional) Install and configure the Malwoverview tool from https://github.com/alexandreborges/malwoverview
    5. Additionally, student will need to register and get public APIs offered by Virus Total (http://www.virustotal.com), – Hybrid-Analysis (https://www.hybrid-analysis.com/ – Malshare (https://malshare.com/) – URLHaus (https://urlhaus.abuse.ch/), – Polyswarm (https://polyswarm.io/), – Malpedia, Alien Vault (https://otx.alienvault.com/api) – Triage (https://tria.ge/signup).
     

    Your Instructor

    No data was found