GREM Malicious Document File Forensics Questions and Answers

Question 1

An analyst is examining a suspicious PDF file using `pdfid.py`.
The tool's output shows counts greater than zero for `/JavaScript` and `/OpenAction`.
What is the most likely next step for the analyst to investigate the file's primary malicious behavior?

Accepted Answer

Extract and deobfuscate the JavaScript code from the relevant stream objects.

Answer

Analyze the font definitions for embedded exploits using a hex editor.

Answer

Rebuild the PDF's cross-reference table (`xref`) using a PDF repair tool.

Answer

Use a disassembler to search for shellcode in the `/Pages` object.

Question 2

A malware author wants to hide a malicious VBA payload in a Microsoft Excel file. They edit the macro's compiled p-code to contain the malicious logic but replace the human-readable source code with a benign-looking 'Hello, World!' message. Which technique does this describe?

Accepted Answer

VBA Stomping

Answer

Dynamic Data Exchange (DDE) Obfuscation

Answer

OLE Object Linking

Answer

Template Injection

Question 3

An analyst is dissecting a malicious RTF file known to exploit CVE-2017-0199. Which of the following elements would the analyst most expect to find embedded within the RTF structure to trigger this vulnerability?

Accepted Answer

An OLE2-linked object that points to a remote HTA file.

Answer

A large, obfuscated JavaScript block within a text stream.

Answer

A malformed font definition causing a buffer overflow.

Answer

An embedded Flash object that triggers a use-after-free vulnerability.

Question 4

A reverse engineer uses the `oledump.py` tool on a suspicious `.xls` file and observes several streams marked with an uppercase 'M'. What does this indicator signify?

Accepted Answer

The stream contains VBA macro code.

Answer

The stream is part of the document's metadata.

Answer

The stream is compressed using a non-standard algorithm.

Answer

The stream is unusually large and likely contains shellcode.

Question 5

In the context of PDF forensics, what is the primary purpose of the `/FlateDecode` filter?

Accepted Answer

To decompress stream data that has been compressed using the zlib/deflate algorithm.

Answer

To represent binary data as a sequence of ASCII hexadecimal characters.

Answer

To execute embedded JavaScript upon opening the document.

Answer

To encrypt a stream object using a public key certificate.

Question 6

An analyst receives a `.docx` file and suspects it contains malicious macros. After unzipping the file, in which of the following file paths within the archive would the analyst most likely find the VBA macro project?

Accepted Answer

word/vbaProject.bin

Answer

_rels/.rels

Answer

[Content_Types].xml

Answer

word/document.xml

An analyst is examining a suspicious PDF file using `pdfid.py`.The tool's output shows counts greater than zero for `/JavaScript` and `/OpenAction`.What is the most likely next step for the analyst to investigate the file's primary malicious behavior?

An analyst is examining a suspicious PDF file using `pdfid.py`.
The tool's output shows counts greater than zero for `/JavaScript` and `/OpenAction`.
What is the most likely next step for the analyst to investigate the file's primary malicious behavior?