Overview
Dive deep into the world of malicious documents in this comprehensive conference talk from HITB2018AMS CommSec. Explore the anatomy of attacks leveraging Office documents, learn to analyze macros using Oledump and the Office IDE, and master debugging techniques. Uncover macro obfuscation methods and their use of Windows API, while understanding the social engineering aspects that ensure successful delivery. Examine the use of forms to store secondary content, including embedded executables and shellcode. Discover techniques for staging and executing shellcode, with a focus on process hollowing. Investigate macro utilization of PowerShell and VB Scripts, and explore creative ways to deobfuscate code. Learn about code execution without macros and attacks targeting OSX. Gain insights into the prevalence of Office documents in malware distribution attacks and prepare yourself to tackle any malicious document encountered in the wild.
Syllabus
Intro
Social Engineering and MACROS
Basic Concept of Operations
oledump
Office IDE
Debugging
Runtime Analysis
Sometimes Encounter Passwords
Social Engineering abounds
Embedded Content
Obfuscation
Windows API
Shellcode
process hollowing - DEMO
powershell
Taught by
Hack In The Box Security Conference