Hunting malware in documents (lang: EN)
2020-09-01, 16:00–19:00, Workshops stream

Most of cyber attacks and Advanced persistent threats (APT) set users as target and exploit documents to compromise victim machines. This workshop will give you a deep knowledge about these kind of attacks and you will be able to hunting threat actors used malicious documents.


In recent cyber attacks, scams and frauds social engineering was a key attack vector used by cyber criminals. In most social engineering tricks, threat actor has forced victims to open a document to compromise them. This workshop is unique, because at end of it you will be able to analysis infected documents like MS Office or PDFs and find valuable information like: IP addresses, strings, C2 communications, malware type and etc. This workshop will cover the following topics:

Introduction and scenarios:

  • MS-Office structures
  • PDF structures
  • MS-office Static analysis (Hands-on lab)
  • PDF Static analysis (Hands-on lab)
  • MS-Office Dynamic analysis (Hands-on lab)
  • PDF Dynamic analysis (Hands-on lab)

The workshop is fully hands-on with real scenarios and labs.

Most of practical labs and scenarios will be done by REMNUX linux

You can find exercises (Hands-on Lab) for each chapter as below:

  • “Intro” Show some real examples of a malware attack using malicious documents
  • “Spreading Techniques” Show some real examples of threat actors using spreading techniques Related exploits for spreading techniques Related social engineering examples
  • “Attack scenarios” Show real examples, where threat actors using malicious document
  • “IoC and YARA” We will learn the importance of IoC for malware hunters Analyze some malicious documents with YARA YARA rules development for malicious document detection
  • “Office file static analysis” Static analysis on malicious Office document using exiftool, OLEtools etc.
  • “Office file dynamic analysis” Dynamic analysis on malicious Office document using Sandboxing, FakeDNS, VBA emulation, L3 traffic analysis etc.
  • “PDF file static analysis” Static analysis on malicious PDF documents using pdfid, pdf-parser, exiftool and manual code extraction techniques
  • “PDF file dynamic analysis” Dynamic analysis on malicious PDF documents using Windows Shellcode analyzer, PDF dumper, Regshooting, online resources & etc.
  • “Obfuscated files” Code extraction Code beautifyng C2 server detection
  • “Debugging” Warming up with some well-known debuggers (Windbg) Working with a specific debugger for documents (Lazy office Analyzer) Use Vipermonkey to extract interesting things, like URL, operations and so on.

You can purchase tickets here: https://nonamecon.2event.com/

Ali Abdollahi a cyber security expert with over 8 years of experience working in a variety of security fields. Ali is a full-time consultant helping clients with product security testing, reverse engineering, penetration testing, exploit developing, red-teaming, secure coding, and more, giving him ample opportunity to use his skills in a diversity of ways. In addition, He is instructor, author and board of review at Hakin9 company. Ali is a self-confessed bug hunter, publisher of many vulnerabilities and CVEs. Ali is a regular speaker and trainer at industry conferences like: DefCon (Red Team, AppSec and Aerospace villages), C0C0nXII, OWASP AppSec Days, BSides, TyphoonCon, Texas Cyber Summit, Confidence Con.