GREM Malicious Document File Forensics Questions and Answers

Question 1

An analyst is examining a suspicious PDF file using `pdfid.py`. The tool's output shows counts greater than zero for `/JavaScript` and `/OpenAction`. What is the most likely next step for the analyst to investigate the file's primary malicious behavior?

Accepted Answer

Extract and deobfuscate the JavaScript code from the relevant stream objects.

Answer

The presence of `/JavaScript` and `/OpenAction` keywords strongly indicates that the PDF is designed to execute script automatically upon being opened. The most direct and critical next step is to use a tool like `pdf-parser.py` to extract the JavaScript code from the corresponding objects and analyze its functionality. The other options are less direct; while they might be part of a deeper analysis, investigating the script is the primary path forward.

Question 2

A malware author wants to hide a malicious VBA payload in a Microsoft Excel file. They edit the macro's compiled p-code to contain the malicious logic but replace the human-readable source code with a benign-looking 'Hello, World!' message. Which technique does this describe?

Accepted Answer

VBA Stomping

Answer

VBA Stomping is an anti-analysis technique where the VBA source code is removed or replaced with benign code, while the malicious, pre-compiled p-code is left intact. Since Microsoft Office applications will execute the p-code if it's compatible, this method effectively hides the malicious behavior from analysts who only inspect the source code in the VBA editor.

Question 3

An analyst is dissecting a malicious RTF file known to exploit CVE-2017-0199. Which of the following elements would the analyst most expect to find embedded within the RTF structure to trigger this vulnerability?

Accepted Answer

An OLE2-linked object that points to a remote HTA file.

Answer

CVE-2017-0199 is a remote code execution vulnerability that is triggered when a Microsoft Office application parses an RTF file containing an embedded OLE2link object. This object instructs the application to download and execute a remote file, typically an HTA (HTML Application) file, which then runs malicious scripts or payloads.

Question 4

A reverse engineer uses the `oledump.py` tool on a suspicious `.xls` file and observes several streams marked with an uppercase 'M'. What does this indicator signify?

Accepted Answer

The stream contains VBA macro code.

Answer

In the output of `oledump.py`, the uppercase 'M' indicator is specifically used to flag streams that contain VBA macro code (attributes and code). A lowercase 'm' indicates macro attributes without code. This allows an analyst to quickly identify which streams need to be extracted and examined for malicious scripts.

Question 5

In the context of PDF forensics, what is the primary purpose of the `/FlateDecode` filter?

Accepted Answer

To decompress stream data that has been compressed using the zlib/deflate algorithm.

Answer

The `/FlateDecode` filter in a PDF stream object specifies that the stream's content is compressed using the zlib/deflate algorithm. To analyze the raw content of the stream (which could be JavaScript, shellcode, or other data), an analyst must first decompress it. Representing binary data as ASCII hex is typically done with `/ASCIIHexDecode`.

(GREM) Giac Reverse Engineering Malware Practice Test

(GREM) Giac Reverse Engineering Malware Practice Test

GREM Malicious Document File Forensics Questions and Answers