1 00:00:00,540 --> 00:00:01,950 Hello and welcome back. 2 00:00:02,250 --> 00:00:08,010 In this video, we are going to do a practical lapsation static analysis. 3 00:00:09,170 --> 00:00:17,630 We are going to perform static analysis on documents, we are going to do embedded string's analysis, 4 00:00:17,990 --> 00:00:19,430 Xolair analysis. 5 00:00:20,530 --> 00:00:22,660 Yara, metadata. 6 00:00:23,570 --> 00:00:33,260 And the two of us that you need to download malware PDA, visit another office before and the password 7 00:00:33,260 --> 00:00:36,380 to unzip them is cracking lessons dot com. 8 00:00:37,300 --> 00:00:43,390 In addition to these two files, there is also another file, Heroes Rules, which I will provide for 9 00:00:43,390 --> 00:00:43,600 you. 10 00:00:44,550 --> 00:00:50,890 So going down these two files and the JA rule is far from the resource section. 11 00:00:52,330 --> 00:00:53,720 So let's get started. 12 00:00:56,060 --> 00:01:02,870 So put into your Bremner's Linux and then copy the files and download it. 13 00:01:04,050 --> 00:01:14,070 And put them in your Linux shareholder in your Windows and then from your remnants, go through the 14 00:01:14,070 --> 00:01:16,200 files, check for the. 15 00:01:17,950 --> 00:01:20,260 Any Kapela from. 16 00:01:22,110 --> 00:01:25,890 Therefore, the you have put into it in your windows. 17 00:01:26,910 --> 00:01:37,250 So I put it in 01, let my windows, so I'm going to copy these three files, mail office, no PDA here, 18 00:01:37,510 --> 00:01:37,740 the. 19 00:01:39,560 --> 00:01:50,540 How copy and put it inside my home directory, so my home directory is over here home, I will create 20 00:01:50,540 --> 00:01:52,220 a new folder called Milray. 21 00:01:53,190 --> 00:01:56,790 So to create new fodder, you just have to right click here, new for. 22 00:01:58,280 --> 00:02:04,990 So are they ready for the create another site for the 018 and the tree falls to. 23 00:02:08,010 --> 00:02:14,720 So now you're going to extract your arrows, so do a stay of your arrows you can use to unzip. 24 00:02:14,730 --> 00:02:15,200 Come on. 25 00:02:15,690 --> 00:02:26,160 So just open a terminal here, go to activities, click on terminal and then maybe get to your home 26 00:02:26,160 --> 00:02:30,530 directory to see the space and the two. 27 00:02:31,290 --> 00:02:34,830 And you can make your home dietary inside. 28 00:02:35,040 --> 00:02:41,220 You can enter your mail for the listed. 29 00:02:42,670 --> 00:02:49,600 I've already got my arrows, Nancy, but in your case, if you're not asleep, you should enter your 30 00:02:49,600 --> 00:02:58,540 01 folder and then unzip it by typing on the heroes. 31 00:03:00,460 --> 00:03:09,140 So you unzip heroes and you will find a new folder containing all the rules inside the important file. 32 00:03:09,230 --> 00:03:11,750 Is your index yaara false? 33 00:03:12,460 --> 00:03:20,650 So if you scroll through, you can see index TOYIA testing for doing so after you've unzip these terrorist 34 00:03:20,650 --> 00:03:26,510 files, just cut it and pasted in a malware folder above it. 35 00:03:27,070 --> 00:03:29,840 So I've done this, so I'm not going to repeat it again. 36 00:03:30,520 --> 00:03:40,600 So after you've done that, you can start analyzing our first file malware office and never PDF in future. 37 00:03:40,600 --> 00:03:48,550 If you ever want to get the latest heroes rules, you can always navigate to this website, which I 38 00:03:48,550 --> 00:03:56,590 share with you from a previous lesson and then click on code here and click downloads if this is where 39 00:03:56,590 --> 00:03:58,360 you can get your YARE rules. 40 00:04:00,070 --> 00:04:07,450 So the rules is rules continuing on the pattern for malicious code as well as binary, which you can 41 00:04:07,450 --> 00:04:09,090 use to scan files. 42 00:04:09,400 --> 00:04:12,340 It's just like an antivirus repository. 43 00:04:14,690 --> 00:04:20,160 That is not on the mayor's office park and another place. 44 00:04:20,240 --> 00:04:23,770 If so, to do that, let me clear the screen first. 45 00:04:26,430 --> 00:04:34,980 Timeline Zuckermann, followed by the name of the father on transit, and he entered and he asked for 46 00:04:34,980 --> 00:04:37,560 a password type tracking license. 47 00:04:38,040 --> 00:04:38,670 Dot com. 48 00:04:48,580 --> 00:04:55,290 Yes, so after you anticipating there'll be a new photo inside, you will find the Medicare stockier, 49 00:04:55,300 --> 00:04:56,410 an office document. 50 00:04:57,310 --> 00:04:59,750 The second file is now PDF. 51 00:05:01,030 --> 00:05:07,250 So repeat Zuckermann Potiche to file two mail PDF. 52 00:05:10,830 --> 00:05:15,990 And he enter and for a password is also cracking license, dot com, 53 00:05:19,800 --> 00:05:22,730 the password is hidden, so he won't be showing here. 54 00:05:24,390 --> 00:05:32,790 So after unzipping Nupedia, you have another folder containing the mail PDF, malicious --. 55 00:05:36,700 --> 00:05:41,250 So we start by doing a string's analysis of the PDF file. 56 00:05:42,010 --> 00:05:49,030 So in your termini here, you can enter the PDF directory. 57 00:05:52,390 --> 00:05:59,920 Listed and this is the video, you're going to do a stress analysis, just clear a screen first by typing 58 00:05:59,920 --> 00:06:00,320 clear. 59 00:06:01,720 --> 00:06:09,340 So we take the common strings followed by the dashi option means to scan for all strings, followed 60 00:06:09,340 --> 00:06:11,250 by the name of the Profar. 61 00:06:11,860 --> 00:06:17,180 And then he wanted to be able to be scrollable when we view the output. 62 00:06:17,890 --> 00:06:19,390 So we take the Bakerman. 63 00:06:19,870 --> 00:06:24,150 Puckerman is the SIM is a key above the integrity of a keyboard. 64 00:06:25,210 --> 00:06:35,320 You need SIFF Shivji hold on and Presti, but then you get the vertical pache more and be able to less. 65 00:06:36,010 --> 00:06:42,880 So the output of the strings combined will be piped into the second command, which is called less so 66 00:06:42,880 --> 00:06:44,800 that you can screw up and down. 67 00:06:45,430 --> 00:06:48,220 So you press enter and now you see the result. 68 00:06:48,730 --> 00:06:56,140 You can use an Kierkegaard to scroll down or screw up to see the result of your strings analysis. 69 00:07:02,430 --> 00:07:09,180 So as you can see, one of the strings and you found a spider foundation, one that tree, this is a 70 00:07:09,180 --> 00:07:17,310 header to indicate that this is by far the second thing of importance and significance is the JavaScript 71 00:07:17,310 --> 00:07:17,670 file. 72 00:07:18,300 --> 00:07:25,110 So this shows that this -- has embedded JavaScript and is able to run JavaScript commands. 73 00:07:25,530 --> 00:07:33,300 And this is one common tactic used by malicious PDA documents using JavaScript to run something malicious 74 00:07:34,050 --> 00:07:35,100 to create this output. 75 00:07:35,100 --> 00:07:43,410 Just Priscu, the next command we are going to do is to perform a search for encrypted strings to do 76 00:07:43,410 --> 00:07:43,630 that. 77 00:07:43,630 --> 00:07:45,640 And we use our search command. 78 00:07:46,880 --> 00:07:55,440 So are followed by the name of Mi FA VFR and encrypted string that you are searching for. 79 00:07:55,920 --> 00:08:00,640 So in this case, we want to see any encrypted you are out. 80 00:08:00,660 --> 00:08:07,830 So we are searching for his tip and then you can enter and we find that there are no encrypted strings 81 00:08:08,160 --> 00:08:09,540 containing his GTP. 82 00:08:11,410 --> 00:08:21,310 The search for better executables, you can repeat their command exel search, giving it the option 83 00:08:22,900 --> 00:08:29,650 followed by the name of the fire, and we find that there are no embedded executables for this particular 84 00:08:29,650 --> 00:08:30,280 document. 85 00:08:31,840 --> 00:08:39,310 Next year, we're going to do a metadata analysis, so let's clear the screen first for that. 86 00:08:39,310 --> 00:08:51,880 We were used to fall by the name of the file and then we will fight to the last command so that we can 87 00:08:51,880 --> 00:08:53,620 scroll the output. 88 00:08:56,020 --> 00:09:02,570 And this is the result of the metadata skin from the result. 89 00:09:02,680 --> 00:09:11,530 You can see some metadata, the filename PDF and file size, and it found when he was created, it was 90 00:09:11,530 --> 00:09:14,710 created in the 017 December 29. 91 00:09:16,010 --> 00:09:24,480 And his father and sister and maybe type application PDAF less press cue to greet news. 92 00:09:24,980 --> 00:09:29,300 Next, we are going to use a are asking for one this fall. 93 00:09:29,720 --> 00:09:38,780 So to Usera and the expenses will be in the queue to screen first the technical Manyara and then we 94 00:09:38,780 --> 00:09:43,640 provide a provide the path to the Larousse. 95 00:09:44,270 --> 00:09:48,080 So we put a two in front to say home. 96 00:09:49,450 --> 00:09:55,340 Then forward slash go to be malaby for the you created earlier and inside it. 97 00:09:55,670 --> 00:09:56,170 There you are. 98 00:09:56,210 --> 00:10:07,430 Bruce Subfolder and he that the next year far so far will contain a listing of all the rules within 99 00:10:07,430 --> 00:10:07,870 this year. 100 00:10:07,880 --> 00:10:08,960 Bruce Subfolder. 101 00:10:09,710 --> 00:10:16,130 And then follow that with the name of the father and you want to scan and then you can enter and you 102 00:10:16,130 --> 00:10:23,960 find it has a long list of output you can screw up and down using Olby of your mouse or you can use 103 00:10:24,440 --> 00:10:24,670 you. 104 00:10:24,920 --> 00:10:27,530 You can use a scroll wheel to scroll. 105 00:10:28,520 --> 00:10:37,400 Now, in order to suppress the warnings, we can put some additional additional parameters to the rackman. 106 00:10:39,300 --> 00:10:46,560 So let us repeat there you are asking by this time if some options, so the options that we are going 107 00:10:46,560 --> 00:10:47,310 to use. 108 00:10:49,440 --> 00:10:59,010 Yaroun distributed warnings that to bring metadata, that is to bring matching strings and key to prevent 109 00:10:59,010 --> 00:10:59,520 attacks. 110 00:11:05,130 --> 00:11:13,230 So let us clear the screen first and then repeat, command this up here to retrieve the history of this 111 00:11:14,280 --> 00:11:18,270 terminal and then here, move your life all to go to the front. 112 00:11:18,780 --> 00:11:26,460 And that dash w there is a message for the rest of the perimeter and not hit enter. 113 00:11:29,770 --> 00:11:37,150 And now you will see a much easier readable output and you see the three suspicious characteristics 114 00:11:37,150 --> 00:11:45,130 of properties first find suspicious produce, the second one is suspicious creator and third one is 115 00:11:45,250 --> 00:11:47,360 in very trailer structure. 116 00:11:47,890 --> 00:11:53,710 So this tree is enough to raise some flags to warn you about these five. 117 00:11:55,750 --> 00:12:02,140 Below are the rules that was triggered good, you can see what triggered it, for example, here in 118 00:12:02,140 --> 00:12:11,800 this string says Caribous was found to be suspicious because probably in the no way this was also detected. 119 00:12:12,440 --> 00:12:14,050 Same thing with under suspicious. 120 00:12:15,130 --> 00:12:18,750 This was they are the the tax scribbles. 121 00:12:20,080 --> 00:12:24,730 So that's all for this analysis of the PDF file. 122 00:12:25,240 --> 00:12:31,200 In the next video, we will turn our analysis to the manager's office document. 123 00:12:31,510 --> 00:12:33,280 So I'll see you in the next on.