added pdf forensics and reworked ooxml forensics
This commit is contained in:
parent
5566ae0be4
commit
0cc87fa399
Binary file not shown.
|
@ -0,0 +1,6 @@
|
||||||
|
# Javascript Forensics
|
||||||
|
|
||||||
|
## Triaging Javascript Files
|
||||||
|
|
||||||
|
Use [box-js](https://box.js.org/) to analyze javascript files.
|
||||||
|
Indicator of Compromises (IoCs) will be found and stored automatically as a result.
|
|
@ -1,37 +0,0 @@
|
||||||
# oletools & Vmonkey
|
|
||||||
|
|
||||||
* Analyze ooxml and ole2 files
|
|
||||||
|
|
||||||
* [oletools repo](https://github.com/decalage2/oletools.git)
|
|
||||||
|
|
||||||
## Usage
|
|
||||||
|
|
||||||
### OLEtools
|
|
||||||
|
|
||||||
* Check content of a stream
|
|
||||||
```sh
|
|
||||||
oledump.py file.doc -Ss <No. of stream>
|
|
||||||
oledump.py file.doc -Ss <No. of stream> -v
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
oledump.py -i file.doc
|
|
||||||
```
|
|
||||||
```sh
|
|
||||||
olevba file.doc
|
|
||||||
```
|
|
||||||
|
|
||||||
### Vipermonkey
|
|
||||||
* For the lazy ones
|
|
||||||
```sh
|
|
||||||
vmonkey file.doc
|
|
||||||
```
|
|
||||||
|
|
||||||
## scdbg
|
|
||||||
* [scdbg repo](https://github.com/dzzie/SCDBG.git)
|
|
||||||
|
|
||||||
## Outlook
|
|
||||||
|
|
||||||
* Outlook files like `.msg` can be read and changed to by perl-email-outlook-message via
|
|
||||||
```sh
|
|
||||||
msgconvert *.msg
|
|
||||||
```
|
|
|
@ -0,0 +1,70 @@
|
||||||
|
# Open Office XML Format (OOXML) Forensics
|
||||||
|
|
||||||
|
Microsoft OOXML documents like docx, docm, xlsx and pptx consist of a bunch of
|
||||||
|
XML documents inside a zip file. Malicious content therein could be for example
|
||||||
|
links, exploits, embedded (hidden) objects or for the most part macros.
|
||||||
|
|
||||||
|
## Triage
|
||||||
|
|
||||||
|
### File Overview
|
||||||
|
|
||||||
|
Take a look at the file composition inside an OOXML zipped file via [decalage's oleid](https://github.com/decalage2/oletools.git) or [Marko Pontello's trid](https://www.mark0.net/soft-trid-e.html).
|
||||||
|
|
||||||
|
### Going deeper
|
||||||
|
|
||||||
|
Take a look at the header via `olemap`
|
||||||
|
|
||||||
|
```sh
|
||||||
|
olemap file.doc
|
||||||
|
```
|
||||||
|
|
||||||
|
Get the properties of streams in side via `olemeta`
|
||||||
|
|
||||||
|
```sh
|
||||||
|
olemeta.py file.doc
|
||||||
|
```
|
||||||
|
|
||||||
|
Check content inside a stream via `oledump`, especially macros
|
||||||
|
|
||||||
|
```sh
|
||||||
|
oledump.py -M file.doc
|
||||||
|
oledump.py file.doc -Ss <No. of stream>
|
||||||
|
oledump.py file.doc -Ss <No. of stream> -v
|
||||||
|
oledump.py -i file.doc
|
||||||
|
```
|
||||||
|
|
||||||
|
Check VBA scripts and malicious elements inside the document via `olevba`
|
||||||
|
|
||||||
|
```sh
|
||||||
|
olevba file.doc
|
||||||
|
olevba3 file.doc
|
||||||
|
```
|
||||||
|
|
||||||
|
Check file modification timestamps through `oletimes`
|
||||||
|
|
||||||
|
```sh
|
||||||
|
oletimes file.doc
|
||||||
|
```
|
||||||
|
|
||||||
|
### Vipermonkey VBA Emulation
|
||||||
|
|
||||||
|
>ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).
|
||||||
|
|
||||||
|
Emulate VBA scripts or macros via [decalage2's Vmonkey](https://github.com/decalage2/ViperMonkey.git)
|
||||||
|
|
||||||
|
```sh
|
||||||
|
vmonkey file.doc -o vmonkey-result.json
|
||||||
|
```
|
||||||
|
|
||||||
|
## scdbg
|
||||||
|
|
||||||
|
[scdbg repo](https://github.com/dzzie/SCDBG.git)
|
||||||
|
|
||||||
|
## Outlook
|
||||||
|
|
||||||
|
Outlook files like `.msg` can be read and changed to by
|
||||||
|
perl-email-outlook-message via
|
||||||
|
|
||||||
|
```sh
|
||||||
|
msgconvert *.msg
|
||||||
|
```
|
|
@ -0,0 +1,69 @@
|
||||||
|
# The PDF File Format
|
||||||
|
|
||||||
|
## Structure
|
||||||
|
|
||||||
|
The PDF Header contains meta data and starts with
|
||||||
|
|
||||||
|
```
|
||||||
|
%PDF-<version.number>
|
||||||
|
```
|
||||||
|
|
||||||
|
The Body contains objects and a cross-reference table to locate objects inside
|
||||||
|
the file. An objects start and end looks like the following example
|
||||||
|
|
||||||
|
```
|
||||||
|
1 0 obj
|
||||||
|
<<
|
||||||
|
[...]
|
||||||
|
>>endobj
|
||||||
|
```
|
||||||
|
|
||||||
|
The footer, or trailer, contains the start of the cross-reference table and the
|
||||||
|
end of file marker
|
||||||
|
|
||||||
|
```
|
||||||
|
trailer
|
||||||
|
<>
|
||||||
|
<cross-reference-table>
|
||||||
|
%%EOF
|
||||||
|
```
|
||||||
|
|
||||||
|
## Multi Media Keywords
|
||||||
|
|
||||||
|
PDF format contains properties for multi media in a single document.
|
||||||
|
An example is given by [zeltser's Analysing Malicious Documents](https://zeltser.com/media/docs/analyzing-malicious-document-files.pdf)
|
||||||
|
|
||||||
|
```
|
||||||
|
/OpenAction and /AA specify the script or action to
|
||||||
|
run automatically.
|
||||||
|
/JavaScript, /JS, /AcroForm, and /XFA can specify
|
||||||
|
JavaScript to run.
|
||||||
|
/URI accesses a URL, perhaps for phishing.
|
||||||
|
/SubmitForm and /GoToR can send data to URL.
|
||||||
|
/ObjStm can hide objects inside an object stream.
|
||||||
|
/XObject can embed an image for phishing.
|
||||||
|
Be mindful of obfuscation with hex codes, such as
|
||||||
|
/JavaScript vs. /J#61vaScript
|
||||||
|
```
|
||||||
|
|
||||||
|
<embed src="./CheatSheets/analyzing-malicious-document-files.pdf" type="application/pdf">
|
||||||
|
|
||||||
|
### Triage keywords
|
||||||
|
|
||||||
|
To triage keywords use [jesparza's peepdf](https://github.com/jesparza/peepdf)
|
||||||
|
or [Didie Stevens' PDF
|
||||||
|
tools](https://blog.didierstevens.com/programs/pdf-tools/) like pdfid.py.
|
||||||
|
Parsing is done via pdf-parser.py.
|
||||||
|
|
||||||
|
```sh
|
||||||
|
pdf-parser.py --search <keyword> file.pdf
|
||||||
|
pdf-parser.py --object <objectNo.> file.pdf
|
||||||
|
```
|
||||||
|
|
||||||
|
Peepdf decodes values of an object in interactive mode
|
||||||
|
|
||||||
|
```sh
|
||||||
|
peepdf -i file.pdf
|
||||||
|
[..]
|
||||||
|
PPDF> object <No.>
|
||||||
|
```
|
Loading…
Reference in New Issue