Office documents have proven a reliable means of distributing malware. While not a new problem in the industry, they continue to plague the enterprise. In this talk we’ll discuss how to break apart a malicious document – inspect macros, identify the use of embedded objects and discuss social engineering aspects to ensure delivery. We will analyze the details of recent attack trends such as the use of PowerShell, process hollowing and application whitelist bypasses, shellcode, encrypted payloads and embedded content. We will also explore techniques used by malicious documents that do not rely on macros and even samples targeting OS X. This will be a fast-paced talk that will prepare you to deal with any malicious document.
The following topics will be covered:
Prevalence of Office Documents in malware distribution attacks
Anatomy of an attack leveraging a maldoc
Analysing macros w/ Oledump and the Office IDE
Debugging Macros
Macro Obfuscation (and use of Windows API)
Social Engineering
Use of forms to store secondary content (embedded executables, shellcode)
Staging and Executing shellcode, includes coverage of process hollowing
Macro use of PowerShell
Macro use of VB Scripts
Creative ways of deobfuscating code
Code execution without macros
Attacking OSX