Analyzing malicious documents (W32)

(2 customer reviews)

$149.00

Out of stock

Product Description

The access to this course is restricted to eForensics Premium or IT Pack Premium Subscription


Word documents, PDFs, photos, and other types of files that are infected with viruses endanger the security of your system every day and cause more computers to be infected. By observing this training course, you will learn how to identify and eliminate the malware that maliciously interact with your files.


Course duration: 14 hours (14 CPE points awarded on course completion) 

Course is pre-recorded, self-paced


What will you learn?

  • Gain knowledge of malware and cyber attacks
  • MS Office and PDF document structure
  • Related malware analysis terminologies
  • Performing static analysis
  • Performing dynamic and runtime analysis
  • Conduct a deep analysis of malicious documents to detect their behavior and command and control server

What skills will you gain?

  • How to analyze malware, with strong focus on suspicious documents
  • Tools: exiftools, oleid, YARA, Malscanner, Offevis, Olevba, ViperMonkey, PDFid, PDFinfo, PDF-parser, AnalyzePDF, PDFExtract, PeePDF, Origami, PDFStreamDumper, Pyew, Malzilla, AntiVM, Anti-sandbox, Crypter, LazyOffice, and others. 

What will you need?

  • A PC or laptop with virtualization environment

What should you know before you join?

  • Basic knowledge of security
  • Basic knowledge and experience of Linux


About your instructor: Ali Abdollahi

 

I’m Ali Abdollahi. I’m a network and cyber security consultant. I have experience in carrier-grade networks and security technology. I‘ve worked in telecom and enterprise companies to secure and optimize their infrastructure and services. I have also done many projects on penetration testing and malware analysis in other sectors.

 

 


Syllabus


Module 1


Topic 1: Introduction to malware

Talk about types of malware related to malicious documents and how they work in this world. In this module, you will learn about malware and different types of them. These days, it’s really important to have deep knowledge about malware and their procedures.

  • What is malware?
  • Types of malware
  • How are they dangerous?
  • Malware history

Exercises:

  • Show some real examples of a malware attack using malicious documents

Topic 2: Spreading techniques

In this section, we will talk about threat actors’ techniques to spread their malicious documents.

  • Why threat actors are using spreading techniques
  • Deep analysis on spreading techniques
  • Social engineering
  • Using worms
  • Mass email campaign
  • Real world scenario

Exercises:

  • Show some real examples of threat actors using spreading techniques
  • Related exploits for spreading techniques
  • Related social engineering example

Topic 3: Attack scenarios

In this section, we will talk about the scenario that threat actors use to infect victims with malicious documents. The main section of detection and threat hunting in cyberspace is to know about the scenarios and cyber-attack kill chain.

  • Importance of documents for threat actors
  • General malware attack scenarios
  • MS Office Attack purpose
  • MS Office Attack scenario
  • MS Office Attack vectors

Exercises:

  • Show real examples and criminal operations with threat actors using malicious document.

Topic 4: Indicators of Compromise (IoC) and YARA

IoCs are critical components that a malware analyst can get from the test. In this section, we will cover all the basics of IoC and show some examples. After that, as a primary tool to use and develop the IoCs, we will cover all necessary topics related to YARA.

  • What is IoC and its usage?
  • Review some malware IoCs
  • YARA Fundamentals
  • How YARA uses IoC
  • YARA rules examples
  • YARA procedures and functionalities

Exercises:

  • We will learn the importance of IoC for malware hunters
  • Analyze some malicious documents with YARA
  • YARA rules development for malicious document detection

Topic 5: MS Office structure

In this section, we will talk about Microsoft Office document architecture, components, features and functionalities. As a malware hunter, it’s necessary to have deep knowledge about Office document structure and procedures. Good understanding of Office documents will help and clear your path in this course and its challenges.

  • General architecture of MS Office documents
  • Analyzing structures
  • Deep dive on storage formats
  • VBA functions and how it works

Topic 6: MS Office static analysis
In this section, we will talk about static analysis procedures, tools and tricks.

  • Deep dive on source code
  • Go through document strings
  • Engaging metadata via exiftool
  • Extracting VBA codes and macro via OLEtools

Exercises:

  • Static analysis on malicious Office document

Topics 7: MS Office dynamic analysis

In this section, we will talk about dynamic analysis procedures, tools and tricks.

  • Sandboxing
  • Setting up a fake internet connection
  • Detecting the malicious behaviors
  • Tricking macros via VBA emulation engine
  • Network base analysis
  • Detecting C2 server
  • Use some online resources

Exercises:

  • Dynamic analysis on malicious Office document

Module 2 


Topic 8: PDF document structure

In this section, we will talk about PDF document architecture, components, features and functionalities. As a malware hunter, it’s necessary to have deep knowledge about PDF document structure and procedures. Good vision of PDF documents will help and clear your path in this course and its challenges.

  • General architecture of PDF documents
  • PDF keyword
  • PDF objects
  • PDF data
  • Malicious Javascript

Topic 9: PDF document static analysis

In this section, we will talk about static analysis procedures, tools and tricks.

  • Extracting PDF object via pdfid
  • Parsing a PDF file via pdf-parser
  • Engaging metadata via exiftool
  • Extracting suspicious codes and scripts

Exercises:

  • Static analysis on malicious PDF documents

Topic 10: PDF document dynamic analysis

In this section, we will talk about dynamic analysis procedures, tools and tricks.

  • Regshooting
  • Detecting the malicious behaviors with Windows shellcode analyzer and PDF dumper
  • Detect C2 server and payload
  • Use some online resources

Exercises:

  • Dynamic analysis on malicious PDF documents

Topic 11: Obfuscation

In this section, we will cover threat actor techniques to hide their activity and data.

  • What is obfuscation?
  • Types of obfuscation
  • Obfuscation techniques
  • Challenges with obfuscation

Exercises:

  • In this lab, we will engage with an obfuscated malicious document

Module 3 


Topic 12: Other malicious tricks

Time to learn a little bit about other tricks that threat actors use to defend against malware hunters. If you want to fight against threat actors, you should know their tricks. This section will help you learn about the hackers’ tips and tricks and a walkthrough to discover them.

  • Evasion techniques
  • Anti-VM
  • Anti-Sandbox
  • Packing
  • Crypter

Exercises:

  • Show some real scenarios and defending solutions

Topic 13: Debugging

In this section, we will cover how to disassemble and autopsy a malicious document with some debuggers. As a malware analyst, you must have knowledge of debuggers and use them to autopsy the malware. Furthermore, we will learn the fundamentals and terms about debuggers. After that, we will jump into finding interesting values about a malicious document.

  • Necessity of debuggers in malware hunting
  • Debuggers’ benefits for malware analysts
  • Necessary parameters that we will gather via debuggers

Exercises:

  • Warming up with some well-known debuggers
  • Working with a specific debugger for documents
  • Use vipermonkey to extract interesting things, like URL, operations and so on.

Final exam

The exam includes two parts. First is a written exam based on fundamentals and terminologies and the second one is a real malware analyst scenario. You should hunt the IoCs and other useful information from a malicious document and write a report.


Course format: 

  • The course is self-paced – you can visit the training whenever you want and your content will be there.
  • Once you’re in, you keep access forever, even when you finish the course.
  • There are no deadlines, except for the ones you set for yourself.
  • We designed the course so that a diligent student will need about 12 hours of work to complete the training.
  • The course contains video and text materials, accompanied by practical labs and exercises.


Contact:

If you have any questions, please contact us at [email protected].

2 reviews for Analyzing malicious documents (W32)

  1. Zoltar

    A great course!

  2. RANJITHA R

    The tutor has given a detailed picture of the analyzing malicious documents. Thanks.

Only logged in customers who have purchased this product may leave a review.

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2023