Hello, welcome to the Tuesday, April 26, 2000, 22 edition of the Sands and at Stormsendors Stormcast.

My name is Johannes Ulrich, and I am recording from Jacksonville, Florida.

Another nice quick malavre analysis example, this time from Xavier, who is talking about a PDF that then linked to a malicious

document.

Often we do have a malicious document being delivered as an ad hatchment or a simple link in an

email that the user clicks on, of course, that's often easily parsed by automated systems.

In order to prevent this, another trick that we certainly have seen a lot of in the last

couple of years is that the document being attached to the email itself is not malicious,

but instead just contains the link that then directs the user to the

malicious content.

And the example here starts out with a PDF.

Again, that's PDF is in itself not really malicious, meaning there is no real exploit here,

other than a link that links to a malicious PowerPoint file. PowerPoint is often

a little bit ignored when it comes to office documents, but of course, everything malicious

that you can do in Word or Excel, you typically are also able to do in PowerPoint. That

exactly what happens here. So Xavier walks you through the analysis of this document.

Well, in one way how you may quickly analyze some malware is of course a virus total and uploading to virus total is done fairly commonly.

If you think about it, virus total is trying to do something pretty difficult and dangerous.

They're willingly accepting malicious files, and then they have virus scanners,

so software on the host, on the server, scan that file that you uploaded. And well, researchers at SciSaurus

actually managed to exploit that process and gain remote code execution access on VirusTotals

servers. While in itself, of course, yes, no, this affects Google doesn't really affect you personally

...