This content is open to everyone — sign in to save your progress, earn points, and unlock module exams.
Unit 4 of REMA
Malicious websites, drive-by downloads, JavaScript de-obfuscation, malicious PDFs, RTF exploitation, and Microsoft Office macro malware.
Drive-by download infection chains, exploit kits, five URL deception techniques with detection methods, safe investigation tools, Traffic Distribution Systems, and a structured URL analysis documentation workflow.
Six JavaScript obfuscation patterns, eval() override interception technique, DevTools breakpoint method, CyberChef static decode, a six-step workflow, and environmental keying bypass.
How attackers deliver malicious payloads through legitimate-looking HTML files that assemble the payload inside the browser, bypassing perimeter filters. Covers the technique, NOBELIUM and Lazarus campaigns, and defender visibility gaps.
PDF file structure, five attack vectors, pdfid.py triage, pdf-parser.py object extraction, PDF stream filter decoding, JavaScript analysis workflow, and a quick triage decision tree.
RTF file structure, five reasons attackers prefer RTF, CVE-2017-11882 and CVE-2017-0199 exploitation chains, rtfobj extraction, scdbg shellcode emulation, and high-risk indicator recognition.
VBA macro infection chains, format identification by magic bytes, oleid and olevba triage, P-Code hidden execution, Excel 4.0 XLM macros, DDEAUTO, remote template injection, malicious OneNote files, and a nine-step triage workflow.
After Microsoft blocked internet-marked macros by default in 2022, attackers shifted to LNK files. This topic covers the LNK binary structure, embedded command-line abuse, and the bypass techniques used in QakBot and IcedID delivery chains, with analyst tooling for triage.
Container files (ISO, IMG, VHD) bypass the Mark-of-the-Web because Windows mounts them as drives, stripping the zone identifier from contents. This topic covers the technique, its rise in BumbleBee and Emotet campaigns, the Microsoft November 2022 mitigation, and current analyst workflows for container triage.
Test your understanding of all Unit 4 topics — malicious website analysis, JavaScript de-obfuscation, PDF analysis, RTF exploitation, and Office macro malware — with 20 multiple-choice questions. A certificate is issued on your first passing attempt.