0
1
00:00:10,720 --> 00:00:11,380
Hello everyone.
1

2
00:00:11,380 --> 00:00:15,670
Welcome back to another video of expert Malware analysis and reverse engineering.
2

3
00:00:15,670 --> 00:00:22,960
Starting from this video we'll start analyzing a bunch of malicious document files.
In the previous video,
3

4
00:00:22,960 --> 00:00:31,090
We looked at some spam emails and we understood how those spam emails can be identified, in the next
4

5
00:00:31,090 --> 00:00:31,370
step
5

6
00:00:31,410 --> 00:00:37,140
We try and analyze the malicious attachments that comes with those spam emails.
6

7
00:00:37,290 --> 00:00:42,270
So we'll begin with we understood the file structure of document files and starting from this video
7

8
00:00:42,280 --> 00:00:48,940
we'll start dissecting them into much more details as to understand how we can uncover malicious macros
8

9
00:00:48,940 --> 00:00:51,960
or malicious scripts that are hidden in those document files.
9

10
00:00:53,820 --> 00:01:01,220
So this snapshot is basically the Hex representation of doc file.
10

11
00:01:01,570 --> 00:01:11,110
So you can basically use any hex editor to open a document file to view the content of the file in hexadecimal
11

12
00:01:11,110 --> 00:01:11,740
format.
12

13
00:01:11,740 --> 00:01:18,040
Now if you look at the first few characters this basically is something that we discussed in the previous
13

14
00:01:18,040 --> 00:01:23,590
video where I said that I'll leave this as an exercise for you all to figure out.
14

15
00:01:23,590 --> 00:01:31,900
So basically the first few bites represents the magic number of any given file format and in the doc
15

16
00:01:31,900 --> 00:01:38,800
file the magic number is 
16

17
00:01:38,830 --> 00:01:41,610
So this was the exercise which I quickly wanted to point out.
17

18
00:01:41,650 --> 00:01:44,440
You can use any popular Hex editor.
18

19
00:01:44,440 --> 00:01:47,740
There are a bunch of very good free ex-editor as well.
19

20
00:01:47,740 --> 00:01:50,280
My personal favorite is 010 editor.
20

21
00:01:50,290 --> 00:01:57,580
It's really powerful and it has a bunch of file analysis templates as well, which makes it very easy
21

22
00:01:57,580 --> 00:02:06,700
to separate different sections of the file by just marking the locations in the text in the hexadecimal
22

23
00:02:06,700 --> 00:02:07,420
formats.
23

24
00:02:09,440 --> 00:02:12,450
OK so what are the tools for analyzing malicious documents.
24

25
00:02:12,470 --> 00:02:13,960
We'll be covering two of them.
25

26
00:02:14,000 --> 00:02:17,490
One is Oledump and the other one is Oletools.
26

27
00:02:17,960 --> 00:02:19,700
Let's quickly look into OLEdump.
27

28
00:02:19,700 --> 00:02:23,870
So it's anOLE file parsing tool that is Didier Stevens. 
28

29
00:02:23,990 --> 00:02:28,130
It allows you to analyze data streams and embedded macros.
29

30
00:02:28,220 --> 00:02:32,740
It supports Doc, ppt and xls. You can get more details on website.
30

31
00:02:32,750 --> 00:02:34,090
The Steven's website.
31

32
00:02:34,160 --> 00:02:36,440
That is the link has been mentioned here.
32

33
00:02:37,910 --> 00:02:40,280
So setting up Oledump is pretty straightforward.
33

34
00:02:40,280 --> 00:02:45,090
You can download the zip from the official website and you can just run the python file.
34

35
00:02:45,230 --> 00:02:48,470
You need to have Python already present on your machine.
35

36
00:02:48,470 --> 00:02:56,900
You would also require dependency called OlefileIO which is a python library that helps in parsing
36

37
00:02:56,900 --> 00:03:01,060
of OLE compound file formats. The tool is 
37

38
00:03:01,120 --> 00:03:06,710
Crossplatform Hence we can use it both on Windows as the last Linux we as well.
38

39
00:03:06,710 --> 00:03:13,340
For example we can use it in Remnux as well which we discussed in the first section where we talked
39

40
00:03:13,340 --> 00:03:19,800
about Remnux distro,  which is a single distro for malware analysis.
40

41
00:03:19,820 --> 00:03:25,550
The good thing is that Oledump gets installed with Flare as well.
41

42
00:03:25,610 --> 00:03:29,580
And we talked about Flare as well when we were setting up the lab.
42

43
00:03:29,720 --> 00:03:36,200
So if you have followed those steps you should already have the proper environment set up and ready
43

44
00:03:36,350 --> 00:03:37,050
for using.
44

45
00:03:37,060 --> 00:03:42,550
Oledumb. If not you can obviously follow the steps to have a really dumb set up on your virtual
45

46
00:03:42,680 --> 00:03:43,090
machine.
46

47
00:03:43,130 --> 00:03:43,380
OK.
47

48
00:03:43,400 --> 00:03:47,430
So let's jump to our virtual machine.
48

49
00:03:47,720 --> 00:03:49,400
Here is the website
49

50
00:03:49,400 --> 00:03:51,470
From there you can download or Oledumb.
50

51
00:03:51,470 --> 00:03:53,790
There is a quick tutorial as well.
51

52
00:03:53,960 --> 00:03:54,820
It's very helpful.
52

53
00:03:54,830 --> 00:04:02,640
You can quickly read through it to get an idea of how oledump works.
To begin using it,
53

54
00:04:02,720 --> 00:04:10,570
Let's come to our Flare tools folder here you'll see a folder called office.
54

55
00:04:10,580 --> 00:04:14,260
If you go inside it you'll see that there is already oledump present here.
55

56
00:04:15,130 --> 00:04:23,260
There are a bunch of different tools here will predominantly be using oledump.py.  My analysis
56

57
00:04:23,260 --> 00:04:29,110
files are prison in a folder called course files here.
57

58
00:04:29,110 --> 00:04:31,960
I have payment.doc and statement.docx
58

59
00:04:31,960 --> 00:04:34,930
These are the two files that we'll be analyzing now.