Malicious Documents for Red Teams

Course Description

Malicious Office documents have been on the radar for several years now. Together with malicious PDF documents. But do you know how to create and tailor them efficiently to achieve successful read team engagements? This training will first teach you how to analyse MS Office files (both “old” OLE and “new” XML formats) and PDF files, to better understand how to create them and evade detection. PDF files that execute code via exploits. MS Office documents that execute code via macros or exploits. Didier Stevens will teach you how to use his Python tools to analyse MS Office documents and PDF documents. Then we will move on to the creation of malicious documents.

In this training, Didier will teach you how to use his tools for Microsoft Office and PDF creation for offensive security. Several of these tools are private, but you get to keep them when you take this training. Most of the time we will use Excel, because its rows and columns offer a convenient substitute for a graphical user interface. But the techniques work with all applications that fully support VBA (Visual Basic for Applications), like Word, but also non-office applications like AutoCAD.

We will use VBA programs and write our own programs that penetration testers need. VBA has an interface to the Windows API. We will learn to use this API to perform pentesting actions from within Office, like a port scan, and also how to use this API to inject and execute shellcode inside the Word/Excel process. And building on this shellcode technique, we will also learn how to package our own DLLs so that they can execute in Word/Excel’s process memory, without touching the disk. This is not a programming class. Knowledge of VBA is not required. Some basic scripting skills like knowledge of for loops and if statements are useful. The basics of VBA will be explained in class, and we will learn to use Didier’s tools and how to modify them to suit the task at hand. No exploits are necessary to achieve this goal, everything can be done with VBA without requiring vulnerabilities. We will learn how to reuse VBA functions and modules from the provided  tools to create goal-specific documents (Word, Excel, …).

Over the years, Didier has developed many tools and techniques to “abuse VBA”. These tools will be explained and used during this training. Some of these tools have never been published, but you will receive them all (Didier’s public and private tools) when you attend this class. Non-exhaustive list of Didier’s tools shared during this class:

  • Taskmanager with shellcode injector, process hollowing, parent process selection, .NET injector, …
  • Filemanager and container to drop and exfiltrate, modify and encode arbitrary files
  • Network tool (ping, port scan, service detection, communication, …)
  • Document to perform reconnaissance and exfiltration
  • Enumerate installed programs & patches
  • Enumerate executables modifiable by the user
  • CMD & Regedit running inside Word/Excel process
  • Tool to create Excel files on different operating systems, without dependencies with MS Office (Mono required).
  • Tool to uncover AV signatures to better evade AV detection

Course contents

Day 1

  • Crash course on analysis of MS Office documents
  • Crash course on analysis of PDF documents
  • Crash course on VBA WIN32 programming

Day 2

  • Exhaustive overview and exercises for VBA tools
  • Exhaustive overview and exercises for PDF tools

Day 3

  • Preparation of attacks with VBA and/or PDF tools
  • Execution of attacks with VBA and/or PDF tools

Learning Objectives

  • Deep understanding of the Portable Document Format
  • Analysis of (malicious) PDF files
  • Deep understanding of the OLE (CBF) file format
  • Deep understanding of Microsoft’s Office Open XML format
  • Analysis of (malicious) MS Office files
  • Creation of malicious PDF files
  • Creation of malicious MS Office files

Target Audience

This training is for technical IT security professionals like blue team or red team members, analysts and incident responders, but also for interested hackers. Attendees should be familiar with command line tools usage.

System Requirements


  • A Windows laptop is preferred, although the Python tools pdfid, pdf-parser and oledump also work on OSX and Linux
  • Microsoft Office installed, 32-bit preferred (for example Office 2012 or 2016)
  • Administrative rights
  • Rights to disable AV

Trainer Biography

Didier Stevens (Microsoft MVP, SANS ISC Handler, Wireshark Certified Network Analyst, …) is a Senior Analyst working at NVISO ( Didier is a pioneer in malicious PDF document research and malicious MS Office documents analysis, and has developed several tools to help with the analysis of malicious documents like PDF and MS Office files. Didier regularly participates in pentests and red team engagements to create task specific documents. You can find his open source security tools on his IT security related blog.

Twitter : @DidierStevens