Skip to content
/ malware-tools-docker Public

Dockerfile with tools for analyzing malicious documents.

11 stars 3 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

nshadov/malware-tools-docker

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
tools
tools
 
 
.gitmodules
.gitmodules
 
 
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
pdf_downsample.sh
pdf_downsample.sh
 
 

Repository files navigation

Malicious file analysis toolset

Pack of tools used to quickly analyze malicious documents in semi-safe environment (Docker ;)

Build image locally from Dockerfile (optional)

You could build image localy (from attached Dockerfile) or download whole image from DockerHub:

docker build . -t "nshadov/malware-tools"

Install & Run

This would drop you to shell inside container, with current working directory mounted (RW) as HOME. Open it up in directory where you have disposable copy of your malicious files.

docker run --rm -it --security-opt="no-new-privileges" --cap-drop=all
       -v $(pwd):/home/malware
       --name python-test nshadov/malware-tools

If you need admin privileges inside container

Run options '--security-opt="no-new-privileges" --cap-drop=all' and user changed to 'malware' are done for your own safety -- you're operating on untrusted code. If you remove them you will be able to use sudo (same password as user name).

Example Usage

Microsoft Word Documents

Use MRAPTOR to search for suspicious files (DOC, XLS, PPT, XML, VSD ...).

mraptor FILE.doc

Use OLEVBA to analyze Microsoft Word documents and extract VBA scripts:

olevba --decode --reveal FILE.doc

Dump specific RTF object (or all) to separate file with RTFOBJ.

rtfobj --save 2 FILE.rtf

You can find files embedded into another file using HACHOIR-SUBFILE:

hachoir-subfile FILE.doc

PDF Documents

Inspect for suspicious elements using PDFID (/opt/tools/):

/opt/tools/pdfid/pdfid.py FILE.pdf
...
 /JS                    0
 /JavaScript            1
 /AA                    0
 /OpenAction            1
 /AcroForm              0

Take a closer look for suspicious elements using PDF-PARSER:

pdfparse FILE.pdf

Search for specific strings (case insensitive):

pdfparse -s script FILE.pdf
pdfparse -s URI FILE.pdf
pdfparse -s action FILE.pdf

Dump specific object stream to a file:

pdfparse -f -o 8 -w FILE.pdf > object8.txt

Or interactively analyze and walk through PDF file with PEEPDF:

$ peepdf --interactive FILE.pdf

PPDF> tree
...

PPDF> offsets
...

PPDF> metadata
...

PPDF> rawobject 1
...

PPDF> stream 13
...

PPDF> js_analyse object 13
...

You can convert PDF file into series of PNG images with GHOSTSCRIPT (to preview it or get rid of active content):

ghostscript -dNOPAUSE -dBATCH -sDEVICE=pngalpha -r96 -sOutputFile='page-%000d.png'

Cheat Sheets

About

Dockerfile with tools for analyzing malicious documents.

Topics

docker security malware forensics malware-analysis forensic-analysis

Resources

Readme
Activity

Stars

11 stars

Watchers

2 watching

Forks

3 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages