Scribd Logo
Upload

Welcome to Scribd!

  • Analysing Malicious Microsoft Office and Adobe PDF Documents

    Uploaded by

    Sanjana chowdary
    48 views6 pages
    This document summarizes steps for analyzing malicious Microsoft Office and Adobe PDF documents. It describes using tools like peepdf.py and pdf-parser to examine PDF files for risky tags, malformed objects, and embedded document payloads. The document also details extracting URIs from PDFs using PDF StreamDumper and analyzing transferred packets with ping. Vulnerabilities like CVE-2018-0802 are checked for in downloaded files.

    Original Description:

    Analysing malicious Microsoft Office and Adobe PDF documents

    Original Title

    ASSIGNMENT5-malwareAnalysis

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document summarizes steps for analyzing malicious Microsoft Office and Adobe PDF documents. It describes using tools like peepdf.py and pdf-parser to examine PDF files for risky tags, malformed objects, and embedded document payloads. The document also details extracting URIs from PDFs using PDF StreamDumper and analyzing transferred packets with ping. Vulnerabilities like CVE-2018-0802 are checked for in downloaded files.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    48 views6 pages

    Analysing Malicious Microsoft Office and Adobe PDF Documents

    Uploaded by

    Sanjana chowdary
    This document summarizes steps for analyzing malicious Microsoft Office and Adobe PDF documents. It describes using tools like peepdf.py and pdf-parser to examine PDF files for risky tags, malformed objects, and embedded document payloads. The document also details extracting URIs from PDFs using PDF StreamDumper and analyzing transferred packets with ping. Vulnerabilities like CVE-2018-0802 are checked for in downloaded files.

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 6

    LAB EXERCISE-5

    MALWARE ANALYSIS

    Analysing malicious Microsoft Office and Adobe PDF documents

    1.
    Filename: STN.pdf
    Malware PDF Source:  Hybrid Analysis 

    Pdf-parser command

    It showed that document dew.docx will be launched once the pdf is


    opened.

    i. Peepdf.py command is ran to Examine STNORDER44678.pdf.pdf


    for risky tags and malformed objects.
    It displays the indirect objects and streams of the suspected file. It gives information about the file
    properties like its Hash Algorithm, File name,Size, Version and if it is present in virusTotal. It contains
    9 Objects and 2 Streams.

    Peepdf.py -i is an interactive mode of the command.It decodes and analysyses the streams found.

    object <object_number>  gives information about object.

    The file header PK for stream 8 is found to office word document.

    stream 8 is checked with the metadata and file properties using the file
    command.
    word file is unzipped to see for any external relationships rtf file.

    Now we analyze the transferred packets using ping command

    The file ptceg doc was downloaded.

    The vulnerability in the file is found to be CVE-2018-0802.

    2.

    File Details

    Collected Date: 2017-10-13

    Name: Invoice P-Order.pdf
    File: PDF document, version 1.5

    TrID: 100.0% (.PDF) Adobe Portable Document Format (5000/1)

    CRC32: 45424fe0

    MD5: 46f6243cb8c323a095d180d6a948ae88

    SHA1: 583ce6e477a82068c3ffbb826e19d87f0dc9963e

    SHA256: d26a7e67cda125f11270af0a820f6644cf920ed70fd5b166e82757dabb6d1ee0

    ImpHash: 00000000000000000000000000000000

    ImpFuzzy: 0::

    SSDeep: 3072:oTVcG8D6BcA4bJL30WtWBjASxC0vtHOdPK:VG8DhA4bthqFhOdPK

    AV Results

    ClamAV: OK

    Ikarus: Trojan.PDF.Phishing

    F-PROT: PDF/Phish.TV

    Sophos: Troj/PDFUri-BDZ

    eScan: OK

    Step1: PDFiD tool to analyse the header of pdf file.

    The file contains 24 URI’s and 63 obj and endobj objects.


    Step2: URI’s from the document are extracted using tool PDF StreamDumper and Command pdf
    parser.

    pdf-parser.py command is used for extract the list of URL’s from this PDF File.

    PDFStreamDumper tool loads all the objects in the file and displays in Text and
    Hex format. All the URL’S also can be viewed.

    You might also like