Hello, welcome to the Monday, August 1st, 2020 edition of the Sansanet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

We often cover analyzing malicious PDFs in our diaries.

In particular, DDA's tools are calmly used, but most of the time we walk

you through some specific feature or some particular interesting artifact. But what we have

been missing a little bit, I think, is to really sort of give you some of the basics in analyzing

these documents, which are all too common, of course.

On Friday, Jesse, who is our new apprentice handler here, went over a quick introduction to how to use PDF parser on a normal malicious PDF to explain some of the basic features of this tool.

So for everybody getting started with Malware reverse analysis, in particular PDFs, bookmark the post,

and follow Jesse's steps here to figure out how PDF parser works.

Well, of course, one way PDFs are sometimes used is fishing, but well, fishing, usually more

related to bad login pages for criminals attempting to find locations to host these files.

Well, they're cloud providers, and we of course have seen this a lot. They're very attractive option, but Trustwave and others have recently observed another option in increased use by attackers, and that's IPFS, the interplanetary file system, as it's called.

What it basically is is stores files on systems around the world.

It's a little bit sort of tour-like in that sense, but really just meant to store files.

The files are then identified by hashes, and to access a file, you may send an HTTP request

to a particular gateway.

Now, a user will just send a normal HTTP request

to one of those gateways.

Then often a number of redirects happen

until you end up with the file.

Part of these redirects is often there, the initial URL, which is the gateway, then at the end,

...