Over at the SANS ISC diary I wrote a diary entry on the analysis of a PDF file that contains a malicious DOC file.
For testing purposes, I created a PDF file that contains a DOC file that drops the EICAR test file.
You can download the PDF file here. It is in a password protected ZIP file. The password is eicardropper, with eicar written in uppercase: EICAR.
This will generate an anti-virus alert. Use at your own risk, with approval.
A small update to my base64dump.py program: with option -n, you can specify the minimum length of the decoded base64 stream.
I use this when I have too many short strings detected as base64.
In this new version of pdf-parser, option -H will now also calculate the MD5 hashes of the unfiltered and filtered stream of selected objects, and also dump the first 16 bytes. I needed this to analyze a malicious PDF that embeds a .docm file.
As you can see in this screenshot, the embedded file is a ZIP file (PK). .docm files are actually ZIP files.
Jump List files are actually OLE files. These files (introduced with Windows 7) give access to recently accessed applications and files. They have forensic value. You can find them in C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations and C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations.
The AutomaticDestinations files are the OLE files, so you can analyze them with oledump. There are a couple of tools that can extract information from these files.
Here you can see oledump analyzing an automatic Jump List file:
The stream DestList contains the Jump List data:
There are several sites on the Internet explaining the format of this data, like this one. I used this information to code a plugin for Jump List files:
The plugin takes an option (-f) to condense the information to just filenames: