12 Days of Defense – Day 1: PDF and Office Doc Malware IOC Extraction
In this video I show how to extract a malicious URL from a PDF without opening it, how to spot a weaponized Office document, and a method to quickly de-obfuscate PowerShell. Enjoy!
Links:
- REMnux: https://www.remnux.org
- PDF: https://app.any.run/tasks/0bf96bc2-041b-4918-9440-4fce9b160ae7/#
- Macro-enabled doc: https://hybrid-analysis.com/sample/0aee2350aab11b452b864426d7e7f5735b06ed55c09429f0e0ab38015b8771ee?environmentId=100
===
My SANS Courses:
- SEC450 - Blue Team Fundamentals: https://sans.org/sec450
- MGT551 - Building and Leading Security Operations Centers: https://sans.org/mgt551
PDF Guide to Security Operations: https://www.sans.org/security-resources/posters/cyber-defense/guide-security-operations-260
Blueprint Podcast: https://sans.org/blueprint-podcast
Twitter: https://twitter.com/SecHubb
In this video I show how to extract a malicious URL from a PDF without opening it, how to spot a weaponized Office document, and a method to quickly de-obfuscate PowerShell. Enjoy!
Links:
– REMnux: https://www.remnux.org
– PDF: https://app.any.run/tasks/0bf96bc2-041b-4918-9440-4fce9b160ae7/#
– Macro-enabled doc: https://hybrid-analysis.com/sample/0aee2350aab11b452b864426d7e7f5735b06ed55c09429f0e0ab38015b8771ee?environmentId=100
===
My SANS Courses:
– SEC450 – Blue Team Fundamentals: https://sans.org/sec450
– MGT551 – Building and Leading Security Operations Centers: https://sans.org/mgt551
PDF Guide to Security Operations: https://www.sans.org/security-resources/posters/cyber-defense/guide-security-operations-260
Blueprint Podcast: https://sans.org/blueprint-podcast
Twitter: https://twitter.com/SecHubb