In this lab, we explore how cybercriminals leverage PDF files as a vector for distributing malware, exploiting vulnerabilities in popular software like Adobe Acrobat Reader. PDF files are a ubiquitous format for document exchange due to their versatility and compatibility across platforms. However, this widespread use has made them a prime target for attackers who embed malicious code to exploit unpatched vulnerabilities. In particular, this lab focuses on analyzing a packet capture (PCAP) file that documents a typical attack scenario: an unsuspecting user visits a compromised webpage, triggering a chain of events that leads to the automatic download and execution of malicious software.
As a Security Operations Center (SOC) analyst, you will dissect the network traffic to identify malicious URLs, analyze embedded JavaScript code, and investigate the exploitation of known vulnerabilities. This walkthrough will guide you through using tools like Wireshark for network traffic analysis, pdfid and pdf-parser for examining the structure and contents of the malicious PDF, and scdbg for shellcode emulation. Along the way, you will uncover how the malware is delivered, how it executes on the victim’s machine, and how it attempts to evade detection.
By the end of this lab, you'll have a deeper understanding of how attackers craft multi-stage exploits using seemingly benign files and how to trace and analyze such threats using forensic techniques. This hands-on investigation will reinforce your skills in malware analysis, network forensics, and defensive strategies to detect and mitigate similar attacks in real-world scenarios.