 Hello, my name is Didier Stevens, I'm a Microsoft MVP and a SENSE Internet Storm Centre Handler, and I teach this training on malicious documents. I'm an expert in malicious PDFs and malicious Microsoft Office documents, and I also hold the SENSE Grame Certification Reverse Engineering of malware. I developed my own tools to analyse PDF documents and MS Office files, and those tools are used by a lot of analysts. So in this training, I'm teaching you how to use these tools. Let's take a look. The first day we are looking at PDFs. So I'm going to give you an introduction to the PDF language. You don't need to know anything about the PDF language. I will teach you the essentials necessary for PDF analysis. And then we will use my tools, PDF ID and PDF parser. So PDF ID is used to identify PDF files, to triage them, to see if we need to analyse them or not. And then PDF parser is the analysis tools for PDF files. I have 20 exercises that I completely designed for you, so they will teach you step by step how to analyse files, PDF files with PDF ID and PDF parser. And once we have done this, when we have worked through all those exercises, we will analyse real malicious samples. So let me show you how PDF ID and PDF parser work with a very simple exercise. So I run a PDF ID on exercise 5 and then you get this information. I will explain you all about it. But here you notice JavaScript with a count of 1 and Open Action with a count of 1. So this tells you that this PDF document contains names for JavaScript and Open Action, so that it contains most likely JavaScript that will execute automatically when the PDF is opened. So this is a good candidate for further analysis with PDF parser. So with PDF parser, I'm going to search for Open Action. So an object 1, it's a catalogue object, so it's a HOOT object. I'm going to tell you all about those objects. So the type is catalogue and you can see here an Open Action and that is 70R. So that actually refers to object 7. All objects are numbered, numbered in a version. So this refers to object 7, so let's select object 7 and you can see object 7 is an action object for JavaScript and here is the contained JavaScript. So it's actually just a message box in this exercise. So this is the exercise we are going to work through step by step. They become more difficult with obfuscation, for example. And then we move on to real samples. Now on day two, we are going to focus on malicious Microsoft Office documents. So I'm going to give you an introduction to the OLA file format. The OLA file format is the binary format that was used by Microsoft Office before the release of Office 2007. So again, you don't need to know anything about this format, I'm going to explain it to you. And then from Microsoft Office 2007 on, a new format was introduced, the Microsoft Office OpenXML format, which is actually a zip file containing XML files. And I'm also going to teach you that because macrophiles, macros, they are still stored as OLE files inside those OpenXML files. So when we are going to then work through about 20 custom design exercises, exercises that I made especially for this training, we are going to analyze them with OLE dump. And when we have worked through those 20 exercises, then we are going to analyze several real malicious documents found in the wild. Let me give you an example. I'm working here on a real malicious document here. And you can see, these are all the streams that you can find in the OLE dump file, you all have a name, you can see here macros, macros, macros. And then here, the indicator M indicates that this stream, stream 7, contains macros. So let's take a look at this macros stream. So I select stream 7. And since it contains VBI macros, VBM macros are compressed, so with option minus V we decompress them. And let's pipe this through less, sorry. Let's start this again, let's pipe this through less. Okay, so this is the macro. Here actually those constants here, those values that look like XML, sorry, hex code, they actually encode the URL because this is a downloader. And you can see there's a lot of obfuscation here. I'm going to teach you all about that. But I also have several plugins for my OLE dump tool. So let me run the plugin for HTTP heuristics on this sample, like this, and then you can see that for stream 7, the plugin hun, and it was able to decode URL. So I'm going to teach you how to decode this manually, but know that we have also plugins, we are going to use plugins that do this automatically for us. This training is very handsome. I prepared a lot of exercises for you. So if you are interested, please visit the website and register.