Malicious Document Analysis
2-Day Training | Virtual
| 21-23 November 2021

Malicious Document Analysis

This course explains through practical and real examples how to analyze malicious documents, which are the main vector of infection by malware in the current days and, different of the common intuition, can be very hard to analyze. During the class, students will learn how to perform static and dynamic analysis of different types of documents such as pdf, doc/docx, xls/xlsx, rtf, msi, and so on, which adversaries use many anti-forensic tricks such as obfuscated shellcodes, embedded documents, obfuscated scripts, and many other tactics.
Reverse Engineer, Exploit Developer and Programmer, Blackstorm Security

Available seats

TBA

Difficulty

Intermediate
US$ 2,299

Attend in-person

TBA

Attend online

via livestream

Date

21-23 November 2021

Time

09:00 to 17:00 GST/GMT+4
To be announced

This course explains through practical and real examples how to analyze malicious documents, which are the main vector of infection by malware in the current days and, different of the common intuition, can be very hard to analyze. During the class, students will learn how to perform static and dynamic analysis of different types of documents such as pdf, doc/docx, xls/xlsx, rtf, msi, and so on, which adversaries use many anti-forensic tricks such as obfuscated shellcodes, embedded documents, obfuscated scripts, and many other tactics.

The class (almost 100% practical) is focused and guided by practical examples, where the instructor analyzes real malicious documents in real time followed by students at same time.

The course is composed by the following topics:

1. Introduction

2. Creating a lab and fundamental concepts

3. Analyzing Malicious PDF Documents.

4. Analyzing Malicious MS Office Documents

5. Analyzing Malicious MS Office Documents – Dynamic Analysis

6. Miscellaneous

Students will analyze, in real time, several document (and other formats) files for two days, which makes this course an almost 100% hands-on course!

Basically, any professional working as threat hunter, system administrators, digital forensic investigators, and beginners in malware analysis and/or reverse engineering.

Windows and Windows administration and programming.

In the last few years, malicious documents have been used as the main malware’s vector of infection in 70% percent of incidents, so they became the main weapon to spread malware and starting attacks against companies and government around the world.

Different from common perception, this kind of artifact can be complicated to be analyzed because they usually try to evading detection and can turn analysis harder task through techniques such as obfuscation, shellcoding and other evil tricks to evade sandbox detection, being that its common usage is to download binaries from Internet to proceed with the infection chain. Understanding how to analyze them and learning their goals are usually important to trace how criminals could try to compromise company’s defenses.

  • Learn the mechanism of malicious documents analysis using real and difficult malicious samples.
  • Learn real tricks used by adversaries.
  • Learn how to defeat anti-forensic tactics such as obfuscated scripts, encoded shellcodes, malware samples using multiple packing stages and so on.
  1. Laptop with two guest virtual machines on VMware or VirtualBox): the first one a Windows (7 or 8 or 10 -- with Microsoft Office 2010 or 2016 installed) and the second one with Ubuntu 18/20 or  Kali Linux
    (newest version). Disable any kind of antivirus or Windows Defender on Windows virtual machines.  A Windows evaluation version can be downloaded here:
    https://www.microsoft.com/en-us/evalcenter/evaluate-windows
  2. Each virtual machine should have 2 GB RAM, with shared folder feature enabled.
  3. USB should be working on both virtual machines.
  4. (Optional) Install and configure the Malwoverview tool from https://github.com/alexandreborges/malwoverview
  5. Additionally, student will need to register and get public APIs offered by Virus Total (http://www.virustotal.com),
    - Hybrid-Analysis (https://www.hybrid-analysis.com/
    - Malshare (https://malshare.com/)
    - URLHaus (https://urlhaus.abuse.ch/),
    - Polyswarm (https://polyswarm.io/),
    - Malpedia, Alien Vault (https://otx.alienvault.com/api)
    - Triage (https://tria.ge/signup).

 

+Testimonials

No data was found

+agenda

Title

Details

Date

Introduction (slides)

This very short section presents the motivations about learning malicious documents analysis. A real fact (provided by Kaspersky in 2019 and 2020) is that about 70% of malware compromises cases has
occurred due the usage of malicious documents as a vector.

 

* There isn’t hands-on lab in this section.

22-23 November 2021
Creating a lab and fundamental concepts (slides + hands-on)

This section explains and shows how to create a suitable lab for making experiments with malicious documents. Additionally, the internal structure of a PDF file is explained to help students in their analysis.

 

* There isn’t hands-on lab in this section.

22-23 November 2021
Analyzing Malicious PDF documents (completely practical)
This section presents several real PDF documents to be analyzed in real time by the instructor and students. These malicious PDF documents use several tricks such as embedded shellcode, embedded obfuscated scripts, embedded malicious Microsoft Office Documents, hidden executables, encoding and so on.

 

* This a completely practical (hands-on based) section, which the instructor proposes the malicious documents and solve it step-by-step together with students. Additionally, few exercises are proposed to
be solved only by students.

22-23 November 2021
Analyzing Malicious MS Office Documents (completely practical)

This section presents several real malicious Microsoft Office Documents to be analyzed in real time by the instructor and students.
Different formats solved such as doc/docx, xls/xlsx, ppt/pptx and rtf documents.

 

On these malicious samples, adversaries use different tricks such as VBA and JavaScript obfuscation, encoding and packing in multiple stages.

 

* This a completely practical (hands-on based) section, which the instructor proposes the malicious documents and solve it step-by-step together with students. Additionally, few exercises are proposed to
be solved only by students.

22-23 November 2021
Analyzing Malicious MS Office Documents – Dynamic Analysis (completely practical)

This section presents several real malicious Microsoft Office Documents to be analyzed in real time by the instructor and students using a dynamic approach. Different formats solved such as doc/docx, xls/xlsx and so on. On these malicious samples, adversaries use different tricks such as VBA and JavaScript obfuscation, encoding, password locking and packing in multiple stages.

 

* This a completely practical (hands-on based) section, which the instructor proposes the malicious documents and solve it step-by-step together with students. Additionally, few exercises are proposed to be solved only by students.

22-23 November 2021
Miscellaneous (completely practical)

This section is composed by a mixed batch of documents to be analyzed by students during the hands-on lab. They’ll will use their just learned knowledge to analyze different malicious documents without any kind of hints.

 

A final note: this course is almost 100% hands-on based and offers 35 examples solved in real time by instructor and students, together.

22-23 November 2021

Book your spot for this training

+TRAINERS

Alexandre Borges
Reverse Engineer, Exploit Developer and Programmer, Blackstorm Security

Alexandre Borges is a Security Researcher who has been daily working on Reverse Engineering and Digital Forensic Analysis for many years. He has taught training courses about Malware and Memory Analysis, Digital Forensics Analysis and Mobile Reversing and Forensics around the world. Furthermore, Alexandre is the creator and maintainer of Malwoverview triage tool: https://github.com/alexandreborges/malwoverview.

Alexandre has spoken in several conferences such as DEF CON USA (2019 and 2018), DEF CON CHINA (2019), SANS 2020,  NO HAT Conference 2019 (Bergamo / Italy), DC2711 Conference 2019 (Johannesburg), Confidence Conference 2019, HITB 2019 Amsterdam, H2HC Conference (2015/2016), BSIDES Sao Paulo (2019/2018/2017/2016), DevOpsDays BH 2019 and BHACK Conference (2019 and 2018).

+OTHER COURSES YOU MIGHT BE INTERESTED IN

x86-64 All You Can Learn Buffet!
US$ 4,299
x86-64 All You Can Learn Buffet!

This class is run a little different from most classes. We provide you purpose-built recorded lectures instead of trapping you in realtime with live-lectures. But fear not, the instructor is always right there eagerly waiting to mingle with the students and answer any questions you have. (The instructor really likes being asked questions. It shows you're paying attention ;)). One of many benefits is that you can watch lectures at 2x speed and zoom ahead of the other students and get to the hands on labs quicker. Or if there's bits of material you already know, you can just skip them and move on to the bits you don't know! Another big benefit is that you get to take the full lectures and labs with you! That means if you forget stuff and then need it in 6 months, you can quickly re-bootstrap yourself! Or you can watch the class twice, to really grow those neural connections and cement it in your brain! And unlike live lectures, our lectures are always getting more factually accurate, by having any accidental errors edited out.


Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 Reset Vector Firmware class.
4-Day Training Hybrid
x86-64 Reset Vector Firmware
US$ 2,299
x86-64 Reset Vector Firmware

This class is designed to give you all the background you need to understand how x86-64 reset vector firmware works, and what the most common security misconfigurations are. It will prepare you to be able to read and understand the existing attack and defense research in the space, taking an explicit walk through of the attack and defense moves and counter-moves threat tree. And as always, this classes teaches you to be comfortable with Reading The Fun Manual (RTFM!) to go seek out the most accurate details of how things work, and to see out new problems in new areas that no one's read yet with a security mindset.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 OS Internals
US$ 2,299
x86-64 OS Internals

This class teaches you about the fundamental hardware mechanisms which all operating systems, virtualization systems, and firmware *must* interact with in order to run successfully on x86 hardware. This is taught in a *mostly* OS-agnostic way focusing on Intel-isms rather than OS-isms (albeit with using Windows as reinforcement, thanks to its excellent kernel-level debugging support.) This class also teaches you to be comfortable with Reading The Fun Manual (RTFM!) to give you self-sufficiency when seeking out the most accurate details of how things work.

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

Go HERE to join the 2-day x86-64 Assembly class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.
2-Day Training Hybrid
x86-64 Assembly
US$ 2,299
x86-64 Assembly

This class teaches you how to disassemble binaries, read x86-64 assembly language, and debug black-box binaries in WinDbg and GDB. This knowledge of assembly is the fundamental skill which is required to learn reverse engineering and vulnerability exploitation. Reverse engineering is in turn a fundamental skill which is required for malware analysis and vulnerability hunting.

 

You can also opt to attend this class on 23 & 24 Nov instead. To do so, just email info@cyberweek.ae

 
Go HERE to join the 2-day x86-64 OS Internals class. Or,
Go HERE to join the 2-day x86-64 Reset Vector Firmware class. Or,
Go HERE to join the 4-day x86-64 All You Can Learn Buffet class.  
2-Day Training Hybrid