Next Meetup

Malicious Office Documents for Blue and Red Teams - Hands-On Workshop
Welcome to our first workshop - Xmas Edition - by NVISO at The Bench. Didier will hold a hands-on workshop on malicious office documents for blue and red teams. Please bring your laptops, as you will follow the process along the way with ~20 practical exercises that will help you up your game in blue and red team efforts. Agenda: 18:00 Doors open, socializing, snacks and Glühwein 18:20 Intro 18:30 Start of lab 21:30 Socializing and networking 22:00 Doors close Content: Since malicious Office documents became prevalent again by the end of 2014, and are still prevalent today, new analysis and generation tools have been developed. These free, open-source analysis tools written in Python have the advantage of running on many operating systems. First we cover the "old", pre-Office 2007 file format used by Office. This binary file format is the OLE Compound file format. The first 4 exercises cover this file format for the different Office applications. This binary file format is still relevant today, not only because it is still widely used, but also because the new file format (Office 2007 and later) includes elements of this binary file format. Didier's tool is used to analyze these exercises. Then we look at the new file format (Office 2007 and later), which is essentially composed of XML files contained in a ZIP archive. We then we look at simple examples with VBA code. is used to extract the VBA code (no need to use Office). After covering the 2 main file formats and their analysis, we can focus on malware and the VBA features it uses to compromise systems. 4 exercises illustrate the 2 main types of malicious documents encountered today: downloaders and droppers. To evade detection and thwart analysis, malware authors use obfuscations. We conduct the analysis of 3 exercises illustrating code obfuscation and 6 exercises illustrating string obfuscation. Finally, the lab covers less common file formats that malware authors masquerade as .doc files. An example is the MIME file format. Didier's free open-source tools,,,, … will be used in this lab, along with plugins for Attendees to this lab will be able to download the exercises and tools. USB sticks will also be available. The lab can be done on Windows, OSX and Linux machines. Linux users should pre-install Python 2.7 with their package manager. Windows and OSX users can choose to install Python 2.7 at the start of the lab. About Didier: Didier Stevens (SANS ISC Handler, Microsoft MVP, GREM, …) is a Senior Analyst working for NVISO ( Didier is a pioneer in malicious PDF document research and malicious MS Office documents analysis, and has developed several tools to help with the analysis of malicious documents like PDF and MS Office files. You can find his open source security tools on his IT security related blog at Note: The meetup will be hosted by NVISO at THE BENCH near Frauenplatz and will be held in English. Note: Seats are limited, please sign-up only if you can actually make it and update your RSVP in case your plans change. Thanks!


Frauenplatz 5 · München

1 comment

    Past Meetups (49)

    What we're about

    The MUC:SEC Meetup group is a group of computer security professionals in the greater München area who meet to exchange their experiences on handling computer security incidents or just exchange best practices in computer security. As a member of the computer security community, face-to-face interaction is important in building trust relationships, and this meetup is there to provide this opportunity.

    Members (708)

    Photos (48)