WORKSHOP
Analyzing Malicious Word and Excel Documents
November 19th @ 17:00 - 21:00 (GMT +4) // HITB CommSec Track
All
Skill Level
100
CAPACITY
4:00h
Duration
Zoom
DELIVERY
OVERVIEW
Malicious office documents continue to be an effective tool for threat actors to compromise their victims and gain access to an organization’s network. While these documents have been around for a while, malware authors continue to find effective ways of abusing functionality to minimize their detection. This year alone we have seen a resurgence of such techniques through the use of Excel 4 Macros and other creative ways to bypass detection. In this workshop, we will get hands-on with the latest Office-based threats to understand how they work, how to detect them and identify indicators of compromise. You will learn the tools and techniques to extract macros, tackle obfuscation and debug the code. This workshop will take you deep into malicious office documents and the tools required to analyze them so that you can better defend your organization and it’s users.
TOPICS COVERED
- Introduction to Lab VMs
- Discuss Office Documents
- Introduce tools and workflow
Lab: Analyzing an Emotet Dropper
- Identifying obfuscation patterns
- Using the Office IDE for debugging
Lab: Dynamic Analysis
- Dissecting Excel documents
- Working with Excel 4 macros
- Identifying other methods of executing content
Lab: Reversing Excel-based Malware
- Process hollowing
- Other advanced techniques
Lab: Tracing Windows API and Extracting Shellcode
KEY LEARNING OBJECTIVES
- Learn the tools and skills needed to perform analysis on malicious office documents, such as the Office IDE, oledump, olevba, xlmdeobfuscator, sandboxes and more
- Leverage static and dynamic tools to develop a hybrid approach for effectively analyzing malware, defeating obfuscation and identifying important indicators of compromise
- Learn how to leverage network traffic to gain a deeper understanding of malware behavior
SPEAKERS
Josh Stroschien
Josh is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is an accomplished trainer, providing training in the aforementioned subject areas at BlackHat, DerbyCon, Toorcon, Hack-In-The-Box, Suricon, and other public and private venues.
Josh is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis and reverse engineering, He is also the Director of Training for OISF, an author on Pluralsight, and a threat researcher for Bromium/HP.
