Document Analysis Archives - eyehatemalwares.com

Peepdf

Posted on March 19, 2025March 19, 2025 by randrada

Document Forensics Tool - Peepdf

Peepdf is a specialized forensic tool designed for analyzing PDF documents, particularly useful in the fields of digital forensics and malware analysis. Unlike standard PDF viewers, Peepdf enables investigators to dissect the structure of PDF files, allowing them to uncover hidden content, scripts, and embedded objects that could indicate malicious activity. This makes it an essential tool for identifying potential threats in documents that may be used to deliver malware or engage in fraud.

One of the standout features of Peepdf is its ability to extract and analyze JavaScript and other actions embedded within PDF files. This functionality helps forensic experts detect risks associated with suspicious documents and understand how they might operate. Peepdf operates in a read-only mode, ensuring that the original PDF file remains intact during the examination process. Additionally, it generates detailed reports summarizing the findings, which can be crucial for documenting evidence in legal contexts. Widely used in cybercrime investigations and incident response, Peepdf serves as a reliable resource for professionals tasked with evaluating the security and integrity of PDF documents.

The Sleuth Kit Tools

DocFileViewer

Posted on May 10, 2022January 22, 2025 by randrada

Document Analysis using DocFileViewer

DocFileViewer is a document forensic analysis tool it is used to analyze [.]doc file extension. This is a GUI tool that can parse and view the OLE structure of Microsoft Doc files.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

Open or drag the document inside the tool.

oledump

Posted on May 10, 2022January 22, 2025 by randrada

Document Analysis using oledump.py

oledump.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze OLE files. These files contain streams of data. Oledump allows you to analyze these streams. Many applications use this file format, the best known is MS Office.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

#note: oledump.py will require olefile.py module to run.

Methods to fix this issue:

1. Download python and install olefile: use pip install olefile

2. Download olefile.py and paste it to olydump.py folder

To use the tool, open command prompt and run the following syntax: oledump.py -h

PDFStreamDumper

Posted on May 10, 2022January 22, 2025 by randrada

Document Analysis using PDFStreamDumper

PDFStreamDumper is a tool used for the analysis of malicious PDF documents. It has specialized tools for dealing with obfuscated JavaScript, low-level PDF headers and objects, and shellcode. In terms of shellcode analysis, it has an integrated interface for libemu sctest, an updated build of iDefense sclog, and a shellcode_2_exe feature.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

Drag or open the document inside the tool.

pdfparser

Posted on May 10, 2022January 22, 2025 by randrada

Document Analysis using PDF Tools Toolkit

pdf-parser.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze [.]pdf file extensions. This tool will parse a PDF document to identify the fundamental elements used in the analyzed file.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

Pdfid

Posted on May 10, 2022January 22, 2025 by randrada

Document Analysis using PDF Tools Toolkit

pdfid.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze [.]pdf file extensions. This tool scans a file to look for PDF keywords, allowing you to identify PDF documents that contain JavaScript or execute an action when opened.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

MalHost-Setup

Posted on May 7, 2022January 22, 2025 by randrada

Document Analysis using OfficeMalScanner Toolkit

MalHost-Setup is the last tool we will discuss in the OfficeMalScanner toolkit and what it does is converts the document’s malicious offset into an executable to expedite the process of analysis.

In an incident, time is critical to the responder and it must have the skills and the right set tools to perform such action to be able to quickly timeline the attack.

Open command prompt and run:

MalHost-Setup.exe <document_name> <exe_name> <offset_address>

DisView

Posted on May 7, 2022January 22, 2025 by randrada

Document Analysis using OfficeMalScanner Toolkit

DisView is bundled inside the OfficeMalScanner toolkit, it works by disassembling the code inside the malicious offset for further analysis.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.

To use the tool:

Open command prompt run > DisView.exe <document_name> <offset_address>

RTFScan

Posted on May 7, 2022January 22, 2025 by randrada

Document Analysis using OfficeMalScanner Toolkit

RTFScan is a document forensic analysis tool to analyze [.]rtf file extensions. The toolkit includes OfficeMalScanner, RTFScan, DisView and MalHost tools that aid the analyst in analyzing documents in relation to phishing incidents.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such action to be able to quickly timeline the attack.

OfficeMalScanner

Posted on May 7, 2022January 22, 2025 by randrada

Document Analysis using OfficeMalScanner Toolkit

OfficeMalScanner is a document analysis part of OfficeMalScanner toolkit that is developed by Frank Boldewin. It is used to analyze [.]doc file extensions. The toolkit includes RTFScan, DisView, MalHost-Setup that aid the analyst in investigating documents that are related to phishing.

In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.