TECH TRAINING 2: Practical Malicious Document Analysis


CAPACITY: 20 pax


PRICE:   USD1499 / MYR4999 (early bird)

USD1899 / MYR6199 (normal)

Early bird registration rate ends on the 1st of August


Targeting attack normally will leverage on malicious documents to attack the victim. The buzzword on APT or Advance Persistence Threat was coin out of this attack. Attacker carefully crafted their malicious document with spear phishing email or web and sent it over to target. We have observed a lot of attacks trying to abuse the vulnerabilities on html, office, flash and pdf documents. As users are less cautious opening document files, the malicious document files has become quite a successful attack vector. Many office related documents such as *.doc, *.xls and *.pdf are used in combination with malicious flash or javascript in this attack to provide a better way of obfuscation or more reliable exploitation technique.

This hands-on workshop will highlight techniques and issues related to analyzing malicious documents files (office, flash and PDF).This workshop will walk through participant how to analyze in-the-wild malicious documents. We’ll share how we can analyze malicious document file by using few techniques and method against different office file formats. Shellcode analysis will be conducted as well to get the whole picture of malicious documents attack anatomy.

By the end of this course, students will be able to analyze a malicious document files and know how to solve obfuscation techniques used and how to extract the payload in order to perform a further analysis.

Course Outline:

  • Description of the Office file specification
  • Description of the PDF file specification
  • Anatomy of malicious document attacks
  • Dissecting malicious DOC file used in in-the-wild attack case study
  • Dissecting malicious EXCEL file used in in-the-wild attack case study
  • Dissecting malicious Flash file used in in-the-wild attack case study
  • Analyzing shellcode used inside malicious documents
  • Dissecting malicious PDF:
    • Study of obfuscation utilizing JS obfuscation techniques
    • Study of obfuscation utilizing PDF Syntax obfuscation techniques

We expect participant to have basic knowledge on exploit structure, as well as shellcode. We’ll provide VM training image for the training.  Pedagogic Methods Used to Teach Material (lecture, hands-on labs, demonstrations, group exercises, etc.):

Lecture, hands-on labs, demonstration and group exercises will be engaged.

Who Should Take This Class + Student Requirements, experience/expertise:

Audiences should have an understanding of software development practices. General knowledge of software security and general knowledge of reverse are recommended, but not required. For those audiences with no software security background, few reading materials related to malicious document analysis is recommended for reading (Google is a good start).

  • Malware Analyst
  • IT Security Analyst
  • Network Security Analyst
  • Forensic Analyst

Student Requirements, equipment/software students must furnish:

Student should install Virtual Box to their machine with at least 2GB Ram to ensure the efficiency and speed of VM operation.

Location: InterContinental KL Date: October 13, 2014 Time: 9:00 am - 6:00 pm Mahmud Ab Rahman