Training at CanSecWest 2011 : Analysis of malicious documents

Mon 31 January 2011 by guillaume

Jean-Baptiste and Guillaume will give a course about malicious document analysis during the next CanSecWest Dojo session at Vancouver (March 7th/8th).

The course deals with two major cases: PDF and Microsoft Office documents. Nowadays those two file formats have become a common vector to exploit end-user systems. Their respective vendor implementations, namely Adobe Reader and MS Office, are regularly prone to multiple vulnerabilities and antivirus software are merely overtaken by the complexity of these formats. Indeed, they are complex formats.

If you ever want to understand the inner workings of a malicious document, you will have to face that complexity and master the use of the proper tools to save you a lot of time without reinventing the wheel.You will there learn to use the OffVis tool and the Origami framework applied to authentic cases of exploits analysis. OffVis is the official Microsoft Office Visualization Tool, and Origami is a powerful Ruby framework for malicious PDF analysis created by one of the teacher of this course.

How to know if a document is malicious or not? How to extract its payload and analyze it? By the end of the day, you will have:

  • Understood the file formats of MS Office and PDF documents
  • Analyzed real MS Office and PDF exploits in practice

You will find below the detailed agenda for this one-day course.We are waiting for you!

Agenda (one day):

Microsoft Office documents analysis:

  • Description of Office documents file formats
    • Mostly focused on Word
    • Document organization (Office 97/2003, Office 2007/2010)
  • Study of Office macros
  • Detection process of a malicious Office document
    • Presentation of the tools of interest
  • Study of a document's internals: identifying exploits, locating and extracting the payload
  • Analysis of a document source, finding markers to create custom AV signatures
  • Analysis of authentic Office exploits cases

PDF documents analysis:

  • Description of the PDF file format
  • Presentation of PDF documents scripting features and exploitation
  • Study of obfuscation techniques using advanced PDF features
  • Detection process of a malicious PDF document
  • Analysis of a document's internals: locating and extracting the payload with Origami
  • Analysis of authentic PDF exploits cases

Who should attend?:

  • IT security specialists
  • Forensics analysts
  • Individuals interested in this topic


Participants must know how to use a debugger, a disassembler, and a hex editor