Malicious documents in the form of email attachments have and continue to wreak havoc on individual users, the private business sector as well as local and federal government. According to Verizon's 2018 Data Breach report, 32% of all data breaches derived from phishing attacks. Avanan email security reports that 1 in 25 branded emails is a phishing email of which 42% of all malicious email attachments pose as Microsoft. Symantec reports that 48% of all malicious malware attachments are crafted as Microsoft Office documents. Malwarebytes reports that in 2018 there was a significant rise in Emotet and Trickbot malspam campaign, and that as of Q1 2019 Emotet and Trickbot have contributed to 61% of all malicious email payload deliveries. 

This presentation will focus on malicious document analysis as it relates to Adobe PDFs and Microsoft Office documents. The presentation will cover the use of numerous open source tools which will allow the forensic examiner to identify, extract and analyze malicious content embedded within Adobe PDF and Microsoft Office documents.  During the presentation I will discuss and illustrate how malware authors take advantage of macros within Microsoft Office documents by implementing malicious Java and or VBA script as well as provide analysis techniques for analyzing these malicious scripts.  With living off the land techniques on the rise this presentation will cover how to locate and decode base64 encoded and obfuscated PowerShell scripts which have been embedded within malicious documents.  During this analysis process I will discuss how to identify whether the malicious document is a dropper or a downloader and what threat intelligence can be obtained and used from the data.  Lastly, I will illustrate how to locate, extract and analyze embedded shell code from within malicious documents as well as explain how and why shell code is used for malicious intent. 

This presentation will use current malware and malicious document samples such as Emotet and Trickbot to provide the attendants with techniques for analyzing malspam incidents with many freely available open source analysis tools.  The outcome of this presentation is to further enhance the participants data breach investigations, identify methods for building YARA rules or IOC’s to harden and defend their network and or implement these analysis techniques into their existing incident response tools and automation processes.