12 Days of Defense – Day 1: PDF and Office Doc Malware IOC Extraction

Share it with your friends Like

Thanks! Share it with your friends!


In this video I show how to extract a malicious URL from a PDF without opening it, how to spot a weaponized Office document, and a method to quickly de-obfuscate PowerShell. Enjoy!

– REMnux: https://www.remnux.org
– PDF: https://app.any.run/tasks/0bf96bc2-041b-4918-9440-4fce9b160ae7/#
– Macro-enabled doc: https://hybrid-analysis.com/sample/0aee2350aab11b452b864426d7e7f5735b06ed55c09429f0e0ab38015b8771ee?environmentId=100
My SANS Courses:
– SEC450 – Blue Team Fundamentals: https://sans.org/sec450
– MGT551 – Building and Leading Security Operations Centers: https://sans.org/mgt551

PDF Guide to Security Operations: https://www.sans.org/security-resources/posters/cyber-defense/guide-security-operations-260
Blueprint Podcast: https://sans.org/blueprint-podcast
Twitter: https://twitter.com/SecHubb



Is the process same for all word, pdf and excel files? Please help me, Thanks.

Raven Bao says:

Can't believe this is free! But the GIAC courses you recommended are too expensive I have to say..

venu resu says:

Good explanation and valuable info.

Golgothus says:

Thanks for the video!

Definitely pretty well made and really enjoyed the content, I'll be looking to see if my team / company will let us get a VM for remnux or another image which might be useful for anlaysis. Seems like there are some nice pre-loaded tools ready and available for investigations and analsysis.

ayyildizim says:

Thank you so much

Jahid Hasan says:

4:13, Sir what passwords did you used to open the file? I just did not understand it properly

CallmeCaptain says:

Wow. This was a ton of great information. Very entertaining and well explained as well. I want more!

bairam mamedov says:

the BEST channel on Security area.

Mike Donovan says:

Has anyone had any luck downloading the remnux ova?

FeliksTrzymalko says:

thank you sir!

Cyber Panther says:

John! I learnt a lot from this session. Thank you so much

yasinaltunterim says:

thank you very much.

3r1ck 4r14s says:

Thanks for share your knowledge.

Roger Gomis says:

I just discovered this channel and… WOW it is gold. Nice info mate!

Зурабыч says:

Magnificent work, thank you very much for this.
Please keep up the good work!

ThainetD says:

Great video, I will share in my channel. Please keep good work.

JurassicHog says:

Great content, SANS always my favorite learning on security

Muhammad Shafique Khuram says:

Thanks for sharing the Knowledge, I hope you will keep posting more sereires.

Rick Mercado says:

Thanks a lot. <3

Sreedeep cv says:

Great video ,nice explanation

Mohamed Saidani says:

Thanks a lot Mr.Hubbard for this new kind of "free training" keep up

Write a comment


Area 51