Sign in to track your watch progress.
The phishing and exploit-kit landscape. Drive-by download mechanics. Weaponised PDFs (/OpenAction, /JS), RTF (Equation Editor), Office macros (VBA, P-Code), and JavaScript de-obfuscation techniques.
Antivirus engines became efficient at scanning executables. Application whitelisting blocked unknown EXEs. Network filters caught suspicious downloads. So attackers shifted: instead of making the victim run an executable, they make the victim open a document or visit a page. The document or page contains code that exploits a vulnerability or social-engineers the user into authorising the next stage.
Today, the majority of initial-access compromises go through one of three vectors: a malicious document attached to a phishing email, a drive-by download from a compromised website, or a malicious link delivered via collaboration tools. This lesson covers all three.
A drive-by download is an attack in which visiting a web page is sufficient to infect the visitor's machine. The user does not click anything or download a file manually. The page contains code (typically in a hidden <iframe> or injected <script> tag) that exploits a browser or plugin vulnerability to execute a payload.
The typical infection chain has three stages:
<iframe> pointing to an exploit kit server.Exploit kits were server-side frameworks that automated this — fingerprinting visitors, selecting an appropriate exploit, delivering the payload, tracking infection statistics. Notable examples included Angler (peaked 2015), RIG, and Magnitude. The EK era declined as Flash and Java were retired from browsers, but the architecture survives in modern browser-based attacks via JavaScript and WebAssembly.
Attackers craft deceptive URLs to trick users into visiting malicious infrastructure:
gogle.com, amaz0n.com. Compare character-by-character; check WHOIS registration date.xn--...); any xn-- URL warrants scrutiny.paypal.com.evil-site.net is owned by evil-site.net, not PayPal.urlexpand.com or unfurl.io to resolve before clicking.PDF files are deceptively powerful. They support embedded JavaScript, embedded files, automatic action triggers, and rich interactive forms — all useful for legitimate workflows, all abusable.
The two PDF-specific abuse vectors:
A PDF polyglot is a file that is simultaneously a valid PDF and a valid file of another format — typically a JAR or ZIP. The PDF reader sees a PDF; the OS, asked to "execute" it, sees an executable. Polyglots evade format-based filtering.
Tools: pdfid and pdf-parser (Didier Stevens) for static structural analysis; peepdf for interactive PDF exploration.
RTF (Rich Text Format) was once a benign Microsoft text format. It became a major attack vector because of Equation Editor — an old Microsoft component (EQNEDT32.EXE) bundled with Office. CVE-2017-11882 and CVE-2018-0802 were memory corruption vulnerabilities in Equation Editor; an RTF document containing a crafted equation object would crash Equation Editor in a way that yielded code execution.
Microsoft eventually removed Equation Editor from Office 2018+. But RTF remains an attractive vector because:
The textbook vector. Office documents support VBA macros — full programs that run inside Word, Excel, or PowerPoint. Malicious documents persuade the user (via a fake "this document was created in a newer version, click Enable Content to view") to enable macros. The macro then executes whatever the attacker wrote.
Common macro patterns:
powershell.exe or cmd.exe with arguments to download a stage-2 payload.Tools: oletools suite (Philippe Lagadec) — olevba extracts macros, oleid summarises document risk, mraptor flags suspicious patterns.
Both browser exploits and embedded document scripts arrive heavily obfuscated. Two practical techniques:
Most obfuscated JavaScript ends with eval(decoded) or a functionally equivalent dynamic execution call. Replace eval with console.log or document.write and run the obfuscated code. The deobfuscated payload prints to console without executing.
// Original obfuscated:
eval(function(p,a,c,k,e,d){...}(...));
// Modified for analysis:
console.log(function(p,a,c,k,e,d){...}(...));
For inline obfuscation that does not pass through eval, set a breakpoint at the top of the obfuscation routine in the Sources panel of Chrome/Edge DevTools. Step through; inspect variables; the deobfuscated content sits in memory by the time the script reaches its final action.
olevbaSection 03
pdfid, pdf-parser, the canonical PDF analysis suite.
toololevba, mraptor, oleid — the standard kit for malicious Office document analysis.
toolExcellent practical reference for de-obfuscation patterns.
referenceSubmit suspicious documents; VT detonates them in sandboxes and reports observed behaviour.
toolSection 04
For each URL, name the trick: (1) https://www.gogIe.com (capital I), (2) https://paypal.com.security-check.tk, (3) https://xn--ggle-0nda.com. Verify your answers using a Punycode converter.
Take any sample PDF (Didier Stevens publishes test files). Run pdfid. Identify whether it contains /OpenAction, /JS, or /JavaScript. If yes, extract the JS with pdf-parser.
Pick a malicious-document sample from MalwareBazaar (filter by tag = doc). Run olevba. Find the AutoOpen entry point. Deobfuscate the payload manually (or via olevba's --reveal flag). Identify the C2 URL.