Malware Analysis – Digital Forensic of Malicious Files

November 26, 2018 | Views: 3366

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Recently, I did a post on the digital investigation of a backdoor PDF. In that post, I defined PDF structure and how to analyze these type of malicious files.

In this post, we will see another method of investigating these malicious files. We will separate all the attachments and Stream Objects from the malicious PDF file and then we will see if there is any malicious content like any listener IP address, dropper inside it.

Creating the Malicious file

Here are the steps:
First, I will create an infected PDF for analysis, but I won’t create a listener as this is for tutorial purposes.

I am gonna inject this exploit in a clean PDF file for this experiment as you can see below I am inserting the directory of the clean PDF file.




And after running it I got the evil PDF

Starting the Investigation

We have created our file now it’s time to investigate it. So clone in to this GitHub repository by typing git clone && cd origami .
Install origami by typing gem install origami 

Now after moving to origami/bin directory we can see there are some tools based on ruby but we are gonna focus on pdfextract and pdfmetadata .

First we are gonna see metadata of the file so type pdfmetadata evil.pdf in the terminal

Above we can see there are some details like when the file created , who is the author of the file , file creation date, etc. This information is important as this can lead us ahead to do further investigation.

Now, let’s see if the file contain any malicious content, so type pdfextract evil.pdf and it will extract all the stream, images, or any attachments in a dump file.

Below we can see attachment has been dump in a file with name “evil.dump”

Now in the evil.dump file we can see it extracted attachment, stream, and script folder from the malicious PDF file.

In the dump file I will start from scripts and in the script folder we can see there is a JavaScript file.

Now let see what’s inside this JavaScript

Above we can see there is nothing suspicious. The exportdataobject is exporting the content for which the cName parameter is required for input and specifies the specific file attachment as here it’s “blackhat_usa”.

Now let’s see what’s inside the stream file.

Above we can see there’s a stream.dmp file, now let see what is inside this.

Above we can see some suspicious content like “executable will load the payload from a text file”

We can now see it has some payload so the attacker must have used some listener and most of time they use meterpreter so I am gonna see if the dump file contain any listener IP address in it. So I am gonna check for meterpreter command in the file by using less “filename” | grep meterpreter.

We can see above there’s a meterpreter listener with the attacker listening IP in reverse_https lhost.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?