 My name is Felipe Piedez and today we're going to talk about malware hunting, discovering techniques in malware, no, malware in malicious PDF, right? So this is my contact at Twitter, at FlipPiris. My contact and social media, so we can find here some in my web page. We can find there some talks that are made in some events in English, Spanish and Portuguese language. My GitHub here, Felipe86 in my LinkedIn, so if you'd like to exchange something with me or send some questions, I'm generally available, right? So let me introduce myself. So I'm security research at Sapporo, Sapporo, it's a company from Switzerland and I'm responsible for creating attack modules for this company, actually for the product of this company and I create this, I create the design of the attack and send to the developer team and this team putting this in our product, right? I'm a founder of the Black and White Technology, it's my own company. I'm an advisor and CEO of this company, it's a consulting company responsible for provide services, consulting services actually and for a pen, privilege, access management, talk, security, security operations center, our analysis and tests and so on and so on. I'm a developer advocate in different projects, first is Hacking Sonora Crime, very known in U.S. and not only U.S. but in Europe and I'm a developer of this project, the idea behind of this project is to talk more about this concept and calling Hacking and how important it is to spread the message for many people because the idea is the hacking is how you can use your creative money to help organization, to help companies protect their solutions, their organization, the product and not only that but using your creative mind to be a hacker is to using a lifestyle, right? So how you can use your creative mind in your life, okay? Not how the TVs or the newspaper using this word or to a bad guy, right? So that's the idea behind of this project and I'm advocate of the Sena Segura, Sena Segura, it's a global company from Brazil by the way, responsible for provide different solutions for a pan, a privileged access management and different authentication process actually and I'm ambassador of the ISNIC open source project, right? So this is a solution to protect the company actually producing a SAST solution, a strategic analysis coding for the developer process actually and not only that but SCA analysis composition actually, looking from the libraries inside of the code and I'm ambassador of this project, right? And I'm a structure writer and a reviewer of those at three magazines in Europe, the 10th magazine in Hacking Island and Neporazic. And by the way, I am a structure of the specifically course about the malware attack with the Q chain in the testing magazine. So if you'd like to know more about that, so you can send them a message, right? So this is some information about me and before to talk more about technical stuff, so it's important to put all those people in the same patient. First of all, I would like to just to simple explanation what is a threat is according to this ISO is defined as a potential cause of an incident that may cause harm to the system and organization. But what does that mean, Philip? Basically, maybe is a software attack or a specific exploitation about attack in software is a kind of a tech intellectual property. So if you are if you produce some code or some product, or if you have some intellectual property or some attacker or threat actor, try to test this intellectual property, so it's it is a threat. Another is identity death. So, for example, if you have an organization and some user hasn't specifically authentication process or identity to authenticate something, so it's something about the death of this specific identity. It's a kind of threat sabotage. It's another another part of this threat because if someone talk about your organization on Twitter or other social media, for example, try, you know, pull some damage in the image of your company. It's a kind of sabotage is it is a threat. OK, and information distortion are example of information security threat. It's just a simple definition. Why is it important to understand that because we are talking today about the malware and how you need to looking from these and how you can look in more deep level that so malware is basically its acronym of the malicious software. So it's a potential threat. So because of that, it's important to clarify what is a threat. Not definition from flip is definition from these eyes. OK, so let's talk about this simple flow about the malware analysis. OK, so first of all, we have a possible threat or artifact or a sample. So this is the first step that identification is that right. So as you can see here, we have a malware. It's acronym of the malware malicious software or or more dog malicious document. Right. So remember, you receive to analyze and specifically artifact or sample. So you need to understand if he is a malware or it's a mall dog. Depends of the binary or the station, not only that, but many of the factors, not factors, but points that you need to analyze after that. You need to choose what the best methodology you use when you analyze something like you can use in a statistical analysis and dynamic analysis, two different approaches. OK, so my recommendations to you when you perform something like these, it's important you write this like, you know, about all those steps that you are analyzing when you make something for example, you have received this artifact, you need to register all those steps because when you do that, you can understand about the steps that possible attack using this attack. And not only that, but you can produce something like a report. And this report you can present, for example, your manager, your coordinator, your tech lead, or you can produce some article, for example, about your studies, for example, it's another interesting point. And not only that, but you can create a specifically improvement, not create, but you can help your organization, your company to improve the defense's mechanism, because when you understand what kind of technique they use it by the attacker, you can understand what kind of technique these threat actor or this attacker using to bypass the security sensor in your organization, like a firewall, like IBS, like IDS, like a possible sandbox or other tools that you have in your environment virus, EGR, so you can understand the technique using by the attacker to bypass those solutions. And not only that, but you can suggest that there's improvement for your defense's mechanism and you can creating this good word called CTI or cyber threat intelligence. You can build it in your organization. I know that it's not too easy to create this if you are a small company, but nowadays we have many tools to help you to give this information. Like, for example, MISP, it's our sharing platform that you can use in an open source product, by the way, using, for example, Elasticsearch to correlate in the logs or other things like this, so you can create these intelligence in your organization. And you need to be strengthening cyber resilience. You need to have this resilience because the threats are changing all the time, so we need to calculate, of course, it's difficult. Probably you can use some tools to help you to calculate the resistance against the threat in your environment. But remember, this is a defensive approach to understand how you can use in the offensive mindset. Okay, so this is the simple flow using in our analysis, in our studies. So remember, this is the first step, the statistical analysis and the dynamic analysis. Probably you already heard about that, but if you are new here, it's important you understand those different. So, simple like this, what is the statistical analysis? When you talk about the moral analysis, usually is the first step in using in the moral studies. Why? Because of the statistical analysis, describe the process of analyzing the program code. It means that you will look more deeply about the structure of this specific code. When you receive the binary, we need to look more deeply about that, or you can find in specifically functioning the data that is important by the DLL, using this attack, or what kind of DLL, this specifically binary, we're using your system operation to execute in this attack in this specific environment. So the program itself doesn't run in this time. So because of that, it's more safe when you analyze, because you're looking from the behavior, not behavior, but you're looking the code, the program code. So maybe you are thinking about the reversal engineers or where is the reversal engineering here, Philippe? Basically, reversal engineering, if you are new here again, is a technique that you can use inside of the statistical analysis. Not only that, but you can use it in dynamic analysis. And I will explain what the difference between statistical and dynamic, but it's important to understand. Before looking deeply about the reversal engineering, you need to understand those bases, right? So what is the statistical analysis? What is the dynamic analysis? How the tools can help you? How the structure of the binary works? And after that, you can look in more about the reversal engineering through looking for the buggers, looking for assembly code, and so on and so on, okay? So let's talk about the dynamic analysis. This is the second methodology that you can use in more studies, right? So dynamic analysis based on behavior, in this case, basically is the interactions that the malware or Modoc has when it's executed in this environment. Basically, it's the runtime analysis. Remember, so you have two approaches, no runtime and runtime analysis. One is the statistical analysis that you can look in from, the structure of the code, the functions, the DLLs, libraries, and another, it's a runtime. So you pick up the malware, you put in a specifically environment, control of the environment, remember that, and it was a good itself inside of this control of the environment, you will see the behavior, and after that, you will check if it's malicious or not. And by the way, it can be easily automated. And basically, we have a specific concept calling send box, that call it send box, actually. Maybe you already heard about what is exactly send box. Send box is a specific environment, basically is a virtual machine. When you talk about the malware analysis or to analyze or investigate it, ready hunting, so on and so on. Basically, you have the malware here, you will use a code inside of this specific environment, and you will see the behavior, but it's not only virtual machine. To see if this is, if this binary is malicious or not, you need to have inside of this send box, engines to see the behavior. Basically, it means, probably you already heard about what is virus total, is antivirus scanning. You have the binary, you're putting this inside of this antivirus scanning, and based on many engines inside of this antivirus scanning, you can see if this malware is malicious or this is the sample, actually, is malicious or not. So based on this engine inside of that, right? So send box, you need to have the same concept. The same concept. You need to have this engine inside of that. For example, you have many different open source projects like KUKO and like other, so I will show you during this presentation, right? So remember, send box is not only virtual machine, you need to have this engines inside of that, right? So, okay, before to talk about the structure of the PDF files, we need to see more about the structure of the binary. It's important to clarify those difference, okay? So let's talk about that now in my virtual machine, in live code here to you. Okay, so, sorry for that. So I have here many different samples. And some samples of this probably is malicious and other not malicious. So we need to check these and to see the difference between in one file or another. So let's check first of all, remember the flow identification step, you receive this binary, you need to analyze that. So I have here the Amazon file. So I will using file command to see what kind of type of this file is, right? The second file that we're using, I will check is Amazon doc.x, X, sorry, is a Microsoft Word is almost the same. Let me check my friend bill here. I have on a file bill is a PDF file. Let me check here, our doc Python. Maybe it's a Python script. Yes, it's a Python script. Let me check the sample, PDF is a sample and doc text is not a, is a text but it's a Python script but with a difference and another is a tar PDF is a PDF file. Okay. So take a look at this. We have a different binaries here, different files. So remember you receive this in your position. I suppose that you wanna analyze some researcher more analyst or whatever. So we need to look in more deep level of that. So, sorry, this is my point here. So what is important to see here in this conversation? Right. So first we need to understand if this file is really a malware or not. Let me check here, the file malware doc Python here, for example. Okay. Let me read first, not, I will not is a good thing self but it's not a malware actually. Let's check here. So let me try to as a good here, like a Python nine and malware. Let's see here. Okay. So it's a simple code in Python. Take a look this. It's a Python script. And if you see here, basically this is a some information that we have in the beginning and here we have another file. And by the way, if I change here, let me manipulate something here in this file. Okay. Let me cut here and I will save once again and I will try to as a good again, the same Python 39, not 39, Python three, block nine actually malware Python and take a look. This is the same. You see? So if you're using once again file, take a look the difference. So here we have a malware. We have this Python script. And we have here ASCII text as a curable. But here I changed something in the beginning. I cut this part as you can see here and we changing this information. So file identify the type of the file in a different way if you see here. So let me change the other thing here in this file. If I try to let me manipulate once again. Okay. Let me put here put here PDF or actually not PDF percent PDF. I think it's better. 1.7 maybe or I can use dash here. I think it's more. And then you save. Yes. And let's check if what happened here. Wow. Take a look this. So now we have a PDF document. And if I try to as a good once again in Python, we have a problem here because I have a distinct problem. Okay. Because now the file types is different is PDF. So take a look this. I have here PDF ID is a tool from the day Stevens. And I have a view here. And I will perform this. Sorry. Perform these tools as a cutting here analyze and specifically to search for some simple or some information inside of this PDF ID. So if you see here, I have a difference object. I will explain the difference between this during this conversation. But just to show you something, let me using this the same PDF ID or a Maurer doc Python. But Philip is not a Python is a next station. And I as a good thing something, but take a look this. Now this PDF ID identified this sample has a PDF. Even this binary having another extension, you see and take a look this. And let me check other, let me change something. Move Maurer doc to Maurer doc PDF. I will change the next station PDF ID. And I will try to see is the same. But if you see, I as a good in Python once again I will show you the content of this is continue to be the same is the same content, right? But when I try to use in PDF ID, this tools identified has a really a PDF file, you see? And file, the same case is a PDF document. I manipulate something inside of the binary. So my question to you is what exactly information I am manipulating inside of this binary? So think about that, okay? So let me change other things here. So nano Maurer PDF again, and I will cut here and I will save once again. And now I have the same content. I just cut in the first beginning of the information. Let me try to executing Python once again. Probably we will have some problem, but I will try our doc PDF. Let me try to as a good, probably I received some error. No, we don't ever, we ever hear why? Because the extension is different. So what happened here? So if I try once again, oh Jesus, now we have an ASCII text. And let me manipulate other thing here in the beginning of this file. Let me return here once again, sorry. And this is specifically being Python. I will copy here, let's check here. I will copy this as you can see, okay? And I will manipulate once again this file. Enter, I will pass here as you can see. I will save once again. File Maurer, take a look this. Wow, it's a Python script binary. Let me try using Python once again. So probably works now. Continue works because I need to write the correct way. So works here. So I change in here something and I will try again. Works again. So let me use in PDF ID because it's a Maurer, it's a PDF once again. And take a look this. Wow, it's not a PDF document. Take a look this. So something happened here. That's the point here of this object of this conversation today. So I am using different tools to investigate and to see the, remember I received this, remember in your situation. So you work in your company, you receive this file and you need to analyze that. You need to use any, I suggest you need to use, you should use these two in your analysis but you need to understand how each tool works. So here, let me explain about the file command. What kind of information, remember about my question, what information file you use, uses to collect this information inside of the binary. Here is the information collected by the file, okay? So this file have a magic number, probably if you are, you know, if not a beginner, if you are a senior, a plan, a medium guy, a medium analyst, or if you are a senior specialist, or you know, I don't know, principle, obviously you know about that about what is exactly magic number and each binary has a specifically magic number. It's some binary is difficult to manipulate. I made some manipulations actually in Python code and PDF it's easier in this case but file C in the each binary, the magic number, basically this is important information, they looking for this. And basically the magic, the file tools, actually this binary, this is a codeable inside of the system operation, the file using specifically database to find those information. And those databases is here inside of this specifically that inside of the system operation but of course it's compiling because of that you cannot see this information inside of that. But I download this information, this explanation I using by another researcher, my friend Fernanda Mercês, he has a specifically video explain many details about the file but in Portuguese language importantly but probably you can use in subscribe, subscription to see but I collect the idea behind of this from this video basically from Fernanda Mercês and I download the file database to share with you about how this works. So if you see here, I have many different database used by Unix platform. So if I cut here PDF for example, you can see here how many, sorry, how many information rules and strings the file comment using for a magic number. Okay, that's important thing here. Okay, as you can see here in the beginning, if you see here percent PDF dash, this is the string that you can see in the beginning. So if you read for a Python for example, take a look this, we can see here the beginning of the information. You see some information you can see in the beginning of the code strings and other things like this. For example, like user being Python and others and others, of course not only one but more than one that you can find in the specifically database that you can see here. So that's very interesting. So let me see for example, our JavaScript, what a very interesting thing. So if you see here in the beginning, dash being node, let me copy here and manipulate the last time here our document here. So let me return here in the mower folder, nano mower PDF, and I will cut here and I will paste and let's see what happened if I can do this the last one, file mower, take a look this and bow we have as a codeable. In this case, they using a different way but if you see now we have a JavaScript in different way because a script is a codeable. It's very, very interesting. So if you see here, other is a root, mower, a file, magic, and what is another, mag, mag, mag, dear, oops, mag, dear and JavaScript. Yeah, JavaScript. And you can see here, node JS for example, let me copy, manipulate once again, paste here and I will cut low just to put the JS in the end, actually file mower. You see is a node JS script. So it's very important thing. Other thing interesting here is about this informations about the structure of the binder. Of course I will talk more about the PDF but I will explain more about that, about the structure. If you see here in the manual, take a look this information is interesting here about the elf. We don't have a time to talk about the elf structure or PE portable executable but here we have a specific information about the format of the elf, the structure actually. So how is the difference or how you can find the array inside of these, how the information you can find these for example, let me copy here just to show you here in this presentation. So let me locate here. Now you pass here. Let me find here is the headers is what is located here is okay. It's here user, it's here. So I will copy here and I will show you simple this one. Better. Best. And take a look this, this file defining standard elf types is structure and macros. You see very, very interesting and useful information. Sorry. And here you can see how many bytes you have it you know divided in specifically a structure of the elf. This is the first one, the first array called for example, e identity is a first array that you have the 16 bytes and this specific array, you can find the magic number and others information. Again, we don't have a time to explain many things here but it's a top key for another talk. Okay, just to show it. So, oops, let me, oh, here, no, okay. So let's talk about the PDF structure because it's really important part of our presentation. So we have a physical and logical structure of the PDF. So usually you have a full parts when you talk about the PDF, okay? So we have a rather, it's very commonly in many different binary. We have a body and cross reference table and trader. Let's look more deeply about the four parts inside of the PDF, okay? So we have a specifically version header here. We have a, inside of the body, we have a page, image and fonts, like a shiny thing is inside of the PDF. In cross reference table, we have a specific locations of the object, either in the file for our random access, okay? It means that we have a specifically structure of this PDF. Let me share with you here. Oh, this is my GitHub basically. So let me, let's go to the DDA here, the Stevens, okay? This is the guy, the researcher, DDA Stevens, sorry. Here's the blog, his blog. We can find many formations about PDF and other structure. I would like to share specifically a picture. Okay, you can find here, but I think it's more easy. So here you can see PDF tools. It's a small ladder, but it's very nice. Tools that I'm using here in our conversation. Here is the fundamental elements. I think we can find here the information that I'd like to share with you. Fundamental elements, let's see if it's here. And I think yes, yes, it's here. So it's old, but the structure is the same, you see? So take a look at this, the header. So remember, the magic number is the header, percent PDF dash. So here is the old version that you can read. Here is the different objects that you have inside of this specifically PDF and cross reference table, okay? Four parts, and here is the most important to see how the structure works on the PDF. Take a look at this specifically picture because it's important. So here is how the object PDF works. So we have here the root object is the main object and you have a two trial object, right? Object two and object three. So if you've seen this picture, for example, those, these two objects, it's totally linked or referring this specific object one. You see like a three, okay? And this is specific object, object four. It's not related on this object, this reference object two, but only reference three, like object three, like again, like a big three, if you think about that, okay? So you see how this referencing which object in another object. So this is very important, you understand why? Because for example, let me explain about the PDF ID, in this case, BU is a one of these, because take a look at this, we have here 44 objects. So let's check PDF at four. It's another. How many objects is a PDF ID? How many objects we have here? So in this case, we have a six, no, 16. We have a 18 objects. So remember this picture. So each object is connected in the root object and other child object. Remember that it's very important you understand that because it depends on the specifically PDF, we have more than one object, one allies, okay? So that's the point here of this specifically is structured is a locations of the object eaten the fire. Not only that, but you have a specifically streaming. It's important part as you can see here. So we have here 16 or streaming to analyze. So if you see, for example, PDF ID in BU, I think we don't have any, in this case, we have eight streaming. Usually streaming in part of important that attacker using to putting something malicious inside of that. So that's, oops, that's important thing. Interesting. So, and the trailer basically is a locations of certain object eaten the body. Okay, so we have a part of this object eaten the body. That's a shine things like a faulty image, but usually you have some links like URLs, okay? So to, when you receive some PDF, you click in this URL, you redirected these access in a specific web page. For example, it's the part of the trailer information. Okay, so let's go to the specifically investigation that I made when I received specifically PDF. Let's go through this step by step. So I receive a specific object and I will receive the CDE ID. It's a, you know, resume actually. So it's very common for a recruiter, recruiters, okay? So remember, this is a part of important to identify if this object is a PDF or not. Of course, just to show you that's the important part. Remember, in the beginning of this conversation, explaining about how important you understand these bases. Again, probably you are a senior. If you are a senior or a specialist, you know about that. But if you are a beginner or starting to a studies of the malware analysis, you need to understand those base. This is very important, okay? So first of all, I check the PDF ID to see how many objects I have inside of this PDF, how many streams I could have and some possible special behavior. Okay, so I have here 15 objects, two streams, not only that, but take a look at this. Very interesting. If find reference of JavaScript, two in JS, three in JavaScript in one open access, but we don't know what is exactly open access, right? But you need to check this. Okay, cool. So the second tool that I'm using here is a PDF-parcel. It's another true from the DA Stevens. So we can use in here the dash S to see a possible specific information that you can find here. So I set dash Ash dash S JavaScript to check. Remember, we have three reference. So first of all, in object one, the second reference object seven, and third object is object 12. Remember, three JavaScript. And JS, remember, two reference. So if you see here, object 12 and object one, others two. So I'm using two different tools to check the same information you see. So my idea here is to show you those two different, the same informations in two different tools to check how important it is to understand how the tools works and how, what kind of information you can find this. The second flag or comment that I'm using here, using PDF-parcels is dash, I think it's W, or yeah, W, is to find for a round output data. Because my idea here is to look more deeply about the datas, not only, but about the possible streaming, right? Or to see more information about that, to read our raw data. Okay, first of all, we have an object one and take a look at these interesting informations. Remember that, so object one, the root, and you have a reference in object two, three, four, five, six, and seven. Remember this, not this, but this picture, object one referring seven until object, sorry, until object seven, exactly, that's correct. So remember this picture, object one, two, three, four, five, six, seven. Seven objects totally refer, reference it, or not reference, but link it on a specific object one, as you can see here in this demo, okay? So because of that, it's important to understand this flow. Sorry, this flow about that, sorry for this cough, but because I have a COVID in two weeks ago and I still have some problem, two weeks ago, no, in the last week actually. And okay, let's continue. So if you see here all those objects, so we need to analyze each object to see. And take a look at this, we have a specifically open action link it with this specifically JavaScript. And here it's not a JavaScript because we don't have an, we don't use now the correct tools to looking from this specifically information. And if you see here below, take a look this, we still have the information about open action, but Philip, what that means open action. So let's check if I have this information here. I think I don't have this information here. Yeah, we don't have her here, but I don't know if we have this information here. I would like to share with you this information in more details. Let me check it here. If I have here this information for, oh yeah, I have here, take a look this, what that means. Okay, nice. Oh, AA or open action, indicate an automatic actions to be performed when the page or document is view it. Take a look this important information. So indicate an automatic action to be performed when the page or document is view it. So now take a look this, the user or the recruiter or the talent accession person receive this resume or the CV or if you, of the people of the foundation receiving specifically invoice, when they receive it by email, so they need to check this email. They need to open this PDF. So this is the action, open the page, view document, right? So this is the action, the normal action, view document. But after that, when you find this open action, it means that an automatic action will be performed when this page is open, okay? So it means that something will be happened after this view. And the combination of the automatic action and JavaScript makes a PDF document very suspicious. So what we have here, an open action is a JavaScript link it, means it's a suspicious, it's malicious probably, right? So if you are an analyst here, so we can check this information, we can agree with me that is totally malicious, but let's continue our investigation, okay? So now we know what that means the open action and we need to find where or is where this JavaScript. So take a look at this other object, take a look at this font and research and image on here, other research, other reference, object eight and nine, remember the picture, okay? Reference, link it, other objects. So let me up here, the video. Remember this image here, okay? It's not this image, yeah, remember this image. Object four, link it with another object. You see an object seven is referring object 10, you see the image. So many childs for the specifically object, you see how important to understand this, nice. So in this reference, we have an object inside of this object 10, we have a possible JavaScript. So let's go more deeply, another information of the body, other information is about the body. So let's see, object 11. So remember we have a 15 objects. So inside of the object 10, we have another reference, object 12 here. And here is the first streaming, contain is streaming, not only that, but we have here the flat the code. So it means that we need to decode the content inside of this stream. And here as you can see the last is 36. In this case, it's not too big, it's small. So maybe we don't have any important information here, but we have two streaming here. So we need to find what other streaming or what kind of information we can find here. So here we have another object, take a look this. In the object 11, referring an object 13. Inside of this object 13, we have a what? We have an streaming. So inside of this streaming, we have a what? We have a JavaScript. So and as you can see here, the last, when you compare to another is too high. So it means that the JavaScript, probably malicious, we can find here in this specifically object. So this is, this should be our main object to investigate, okay? So we need to look more about that. So let's go to this specifically object, okay? So then another tool that I'm using here, it's PDF.tk. What is a PDF.tk? Is a handle tool for a manipulating PDF, okay? Or it means you can use it to, you know, creating a PDF, a merge of different PDFs, collating PDF and compress streaming pages and then compress or re-compress. Uncompress actually or re-compress. Remember, I have a content here inside of this streaming. So I need to uncompress this information. So that's my action here. So I have a PDF, CDE, the file, set the output or I will copy this information I passed here in the .txt and I will set the uncompress activity because my idea is to looking for the deep information, the content inside of this specifically streaming. Remember that in object 13, and here is the information is important. We find object 13, the left, we have a content. This is the first technique used by the attacker, the JavaScript obfuscated. So here is the JavaScript, but this JavaScript is obfuscated. So you need this obfuscated code. Basically it's the second action. So remember, we have PDF. This PDF has a JavaScript. Inside this JavaScript, we have a specifically open actions. Remember, when the user viewed this information, attacker will be using a JavaScript and here is the first technique using by the attacker, obfuscation technique using this specific. If you see here inside of this parenthesis, you can see specifically standard number like a, you see numbers and more below or not below, but if you see here inside of the parenthesis, as you can see here, ladders, numbers, other informations, as you can see here, so kind of standard information. So after that, I need to this obfuscate this code. Remember, so if they using obfuscation, I need to this obfuscate here. So I found here some specifically evil parameter and my idea here, if I have a JavaScript, I will try to rewrite this information using HTML. Basically this is the idea here. So I using this specifically open basic here to facilitate our demo, okay? So I will copy here and I pass here the document right. So you see, I will this obfuscate this JavaScript as you can see here. So this is the second action. So remember the attacker using the obfuscation technique, I will this obfuscate this code and let's see now what kind of information we can find here inside of this specifically code. So basically I will rewrite in the HTML file, I save and after that, I give the permission to execute itself in a web browser because my idea is to open here in the web browser, check what kind of information we can find here, okay? So I using Firefox to call this sample and let's see what happened now. Take a look this and bam, we have a payload. You know what that means? So probably if you again, probably if you know no problem but the payload is a part of code is a package responsible to download or to just download in the victim machine actually. And this package is responsible to execute the callback to the CNC commanding controller to make a response to the attacker, okay? So remember inside of this streaming, remember we have a JavaScript obfuscated inside of the JavaScript, we have a payload. This payload basically is the package that it will explore the victim machine. And after that, what I'm using here, I will see the standard, you know, ladders and percent. I will copy and paste here and I put in here in specifically file. And my idea here is to try or to find in specifically information. So I using set to cut this information because here we have now a pure code using by the attacker, the attacker using a specific unique code technique to encode information here. So and not only that, but I using here in Unix platform, but I using here in Windows too because I'd like to show you difference approach not only in Unix, but using Linux. So here's the same Maurer, the same artifact as you can see here. Take a look at this, the JavaScript obfuscated. And I will be using here another platform in use in Windows platform to show you those different. Okay, so here is the real payload. Remember, I will cop and I use set and when I using the Linux platform but here are you using mouse dealer, okay? So I will cop here and I will paste and I will share with you here what kind of technique using by the attacker. Remember I mentioned about specifically encode technique using by the attacker because remember we have a payload and the attacker using specifically encoding technique to encode this content inside of this payload. And this encoding, this technique using by the attacker is using by UCS2, okay? It's not new, it's old. Now the evolution actually we have a new UTF-16, UTF-32 and so on and so on. But before that we had UCS2, it's old, okay? So I using here UCS2 to generate here. So I will basically to decode this information to generate a exa decimal information as you can see here. And now I have an exa decimal file, okay? So after that I generate this exa decimal file in a binary. Why do that? Because remember this, not remember but usually the most of our more than 90% is for the Windows platform. So I generate this specifically binary to execute itself inside of the Windows machine. And after that I call, I use insure to search for a possible HTTP protocol inside of this binary to see if this binary will call something and take a look what I found here. I found the commanding controller from the attacker. So now we have an CNC, the attacker. Remember about the payload? Yes, the payload will be a callback or this is specifically CNC. You see how interesting it is? So if you pass here the IP address, you see this IP address is from Estonia, Europe, okay? So here as you can see, this is the information we found in this specifically file. So let me just to finalize this information. So if you see here, so many URLs related to this specifically attack. And if you see here, so they have a many victims machine explored by this specifically attack using PDF malicious, okay? So just to summarize this demo, actually remember the user received this PDF. This PDF has a specifically JavaScript side of that. This PDF is or was in this case obfuscated or JavaScript obfuscated inside of this JavaScript. Remember this JavaScript is eaten, the streaming, this content is inside of this streaming and we disobfuscated this information inside of that the attacker using specifically encoding techniques. Actually inside of the JavaScript, we have a payload, remember? The payload is a package responsible for this callback that is information actually this information, you know? So the victim machine to the attacker, remember that? Side of this payload, we have another technique using by the attack is encoding technique using ECU CS2. And side of that, we have a CNC possible for this explanation, okay? So here I can suggest you some books you'd like to read and study more about tomorrow analysis. So here are four books that I can recommend, right? About tomorrow analysis, our analysis techniques, ReadyHunt with Elastiki Stack and Practical Practical Intelligence and Data Driven 3ID Hunting. So four very nice books that I can recommend you if you would like to read and study more about that. And that's it, that's it. So I finished my presentation here. I hope that I can help you during this journey in our conversation. So if you have any question, so please let me know and see you in the next.