Product Description
The access to this course is restricted to eForensics Premium or IT Pack Premium Subscription
Word documents, PDFs, photos, and other types of files that are infected with viruses endanger the security of your system every day and cause more computers to be infected. By observing this training course, you will learn how to identify and eliminate the malware that maliciously interact with your files.
Course duration: 14 hours (14 CPE points awarded on course completion)Â
Course is pre-recorded, self-paced
What will you learn?
- Gain knowledge of malware and cyber attacks
- MS Office and PDF document structure
- Related malware analysis terminologies
- Performing static analysis
- Performing dynamic and runtime analysis
- Conduct a deep analysis of malicious documents to detect their behavior and command and control server
What skills will you gain?
- How to analyze malware, with strong focus on suspicious documents
- Tools: exiftools, oleid, YARA, Malscanner, Offevis, Olevba, ViperMonkey, PDFid, PDFinfo, PDF-parser, AnalyzePDF, PDFExtract, PeePDF, Origami, PDFStreamDumper, Pyew, Malzilla, AntiVM, Anti-sandbox, Crypter, LazyOffice, and others.Â
What will you need?
- A PC or laptop with virtualization environment
What should you know before you join?
- Basic knowledge of security
- Basic knowledge and experience of Linux
About your instructor: Ali Abdollahi
I’m Ali Abdollahi. I’m a network and cyber security consultant. I have experience in carrier-grade networks and security technology. I‘ve worked in telecom and enterprise companies to secure and optimize their infrastructure and services. I have also done many projects on penetration testing and malware analysis in other sectors.
Syllabus
Module 1
Topic 1: Introduction to malware
Talk about types of malware related to malicious documents and how they work in this world. In this module, you will learn about malware and different types of them. These days, it’s really important to have deep knowledge about malware and their procedures.
- What is malware?
- Types of malware
- How are they dangerous?
- Malware history
Exercises:
- Show some real examples of a malware attack using malicious documents
Topic 2: Spreading techniques
In this section, we will talk about threat actors’ techniques to spread their malicious documents.
- Why threat actors are using spreading techniques
- Deep analysis on spreading techniques
- Social engineering
- Using worms
- Mass email campaign
- Real world scenario
Exercises:
- Show some real examples of threat actors using spreading techniques
- Related exploits for spreading techniques
- Related social engineering example
Topic 3: Attack scenarios
In this section, we will talk about the scenario that threat actors use to infect victims with malicious documents. The main section of detection and threat hunting in cyberspace is to know about the scenarios and cyber-attack kill chain.
- Importance of documents for threat actors
- General malware attack scenarios
- MS Office Attack purpose
- MS Office Attack scenario
- MS Office Attack vectors
Exercises:
- Show real examples and criminal operations with threat actors using malicious document.
Topic 4: Indicators of Compromise (IoC) and YARA
IoCs are critical components that a malware analyst can get from the test. In this section, we will cover all the basics of IoC and show some examples. After that, as a primary tool to use and develop the IoCs, we will cover all necessary topics related to YARA.
- What is IoC and its usage?
- Review some malware IoCs
- YARA Fundamentals
- How YARA uses IoC
- YARA rules examples
- YARA procedures and functionalities
Exercises:
- We will learn the importance of IoC for malware hunters
- Analyze some malicious documents with YARA
- YARA rules development for malicious document detection
Topic 5: MS Office structure
In this section, we will talk about Microsoft Office document architecture, components, features and functionalities. As a malware hunter, it’s necessary to have deep knowledge about Office document structure and procedures. Good understanding of Office documents will help and clear your path in this course and its challenges.
- General architecture of MS Office documents
- Analyzing structures
- Deep dive on storage formats
- VBA functions and how it works
Topic 6: MS Office static analysis
In this section, we will talk about static analysis procedures, tools and tricks.
- Deep dive on source code
- Go through document strings
- Engaging metadata via exiftool
- Extracting VBA codes and macro via OLEtools
Exercises:
- Static analysis on malicious Office document
Topics 7: MS Office dynamic analysis
In this section, we will talk about dynamic analysis procedures, tools and tricks.
- Sandboxing
- Setting up a fake internet connection
- Detecting the malicious behaviors
- Tricking macros via VBA emulation engine
- Network base analysis
- Detecting C2 server
- Use some online resources
Exercises:
- Dynamic analysis on malicious Office document
Module 2Â
Topic 8: PDF document structure
In this section, we will talk about PDF document architecture, components, features and functionalities. As a malware hunter, it’s necessary to have deep knowledge about PDF document structure and procedures. Good vision of PDF documents will help and clear your path in this course and its challenges.
- General architecture of PDF documents
- PDF keyword
- PDF objects
- PDF data
- Malicious Javascript
Topic 9: PDF document static analysis
In this section, we will talk about static analysis procedures, tools and tricks.
- Extracting PDF object via pdfid
- Parsing a PDF file via pdf-parser
- Engaging metadata via exiftool
- Extracting suspicious codes and scripts
Exercises:
- Static analysis on malicious PDF documents
Topic 10: PDF document dynamic analysis
In this section, we will talk about dynamic analysis procedures, tools and tricks.
- Regshooting
- Detecting the malicious behaviors with Windows shellcode analyzer and PDF dumper
- Detect C2 server and payload
- Use some online resources
Exercises:
- Dynamic analysis on malicious PDF documents
Topic 11: Obfuscation
In this section, we will cover threat actor techniques to hide their activity and data.
- What is obfuscation?
- Types of obfuscation
- Obfuscation techniques
- Challenges with obfuscation
Exercises:
- In this lab, we will engage with an obfuscated malicious document
Module 3Â
Topic 12: Other malicious tricks
Time to learn a little bit about other tricks that threat actors use to defend against malware hunters. If you want to fight against threat actors, you should know their tricks. This section will help you learn about the hackers’ tips and tricks and a walkthrough to discover them.
- Evasion techniques
- Anti-VM
- Anti-Sandbox
- Packing
- Crypter
Exercises:
- Show some real scenarios and defending solutions
Topic 13: Debugging
In this section, we will cover how to disassemble and autopsy a malicious document with some debuggers. As a malware analyst, you must have knowledge of debuggers and use them to autopsy the malware. Furthermore, we will learn the fundamentals and terms about debuggers. After that, we will jump into finding interesting values about a malicious document.
- Necessity of debuggers in malware hunting
- Debuggers’ benefits for malware analysts
- Necessary parameters that we will gather via debuggers
Exercises:
- Warming up with some well-known debuggers
- Working with a specific debugger for documents
- Use vipermonkey to extract interesting things, like URL, operations and so on.
Final exam
The exam includes two parts. First is a written exam based on fundamentals and terminologies and the second one is a real malware analyst scenario. You should hunt the IoCs and other useful information from a malicious document and write a report.
Course format:Â
- The course is self-paced – you can visit the training whenever you want and your content will be there.
- Once you’re in, you keep access forever, even when you finish the course.
- There are no deadlines, except for the ones you set for yourself.
- We designed the course so that a diligent student will need about 12 hours of work to complete the training.
- The course contains video and text materials, accompanied by practical labs and exercises.
Contact:
If you have any questions, please contact us at [email protected].
Zoltar –
A great course!
RANJITHA R –
The tutor has given a detailed picture of the analyzing malicious documents. Thanks.