Skip to content
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
Cannot retrieve contributors at this time


This repo contains the slides and files required for my DefCon 27 (2019) and CactusCon 8 (2019) "Understanding and Analyzing Carrier Files" Workshop. Get it gurl!

The malware samples for this workshop are located at:

  • The zip file password is: dc27workshop
remnux@remnux:~/cfworkshop$ ls
remnux@remnux:~/cfworkshop$ zip -e *
Enter password: 
Verify password: 
  adding: 1a73585dc90551822b772e3bab61a856a3ed8377b2e71326ce1b946a43cfa1f2 (deflated 44%)
  adding: 3777e556ddbafa08d7dcb35876bc47ee1226a8ad7d014d94ec5c6f6fc191a34d (deflated 23%)
  adding: 62a83453d87810a25cf7ef7952f8cbed211064f2de4e7e39ddcff42c8c855759 (deflated 17%)
  adding: ad4a9c91b33217062c18b9945088150947cb127cd65962baa98fbd5c8eb8a18d (deflated 5%)
  adding: dd55a7a66df1ab791cccb06ba0c7da9ae9f7670bee673b4ee2df4fd21909ca07 (deflated 40%)
  adding: f6e9515a3e2e9afc1a5ced7002ea19ceffab1bc2f7cc5cd4bbf86d22aa93057a (deflated 4%)
remnux@remnux:~/cfworkshop$ shasum -a 256 

Pre-requisites -- Can I Kick It? (Yes, You Can!)

This workshop will cover the file formats for both PDF and Office (e.g. docx) files. If you've never analyzed such a file for maliciousness, fear not! We'll be covering the basics. If you have programming/scripting experience, great. If not, don’t worry. If you have worked to deobfuscate code, fantastic. If not, meh.

At previous $dayjob, I ran a five-week onboarding program for our new hire SOC analysts. Even folks brand new to incident response are able to follow along and learn from this type of training. I’ll work with anyone willing to push his or herself to learn some new skills. To gain the most from the workshop, you will want to make sure that you are somewhat familiar with the following (as in, if you're not now, do some Googling!):

JavaScript (JS) & Visual Basic for Applications (VBA)

We are going to be analyzing both JS and VBA code. If you have never touched either of these languages before, or you are not a programmer by nature, fear not. Please contact me for some resources, or just hit YouTube/Google/whatever for some crash course action.


Big 'ol bonus if you're already familiar with debugging concepts such as setting breakpoints, stepping through code, etc. If you have never run a debugger, go hit your favorite search engine and blah blah. You know the drill. I'll be covering the basics in the workshop, but you'll simply be more comfortable if you've had a little experience prior to the workshop. No biggie if not.

Virtual Machines (VMs)

We'll be using VMs to avoid infecting our host machines, as we'll be working directly with malicious documents. If you've never used a VM before, you're going to have a bad time. In such case, I recommend checking YouTube (or reaching out to me personally) for some resources on setting up a VM in a tool like VMware or VirtualBox.

Materials & Equipment


"P6 chip. Triple the speed of the Pentium."

To participate in the workshop, you don't need Acid Burn's laptop. However, you will want to bring a laptop equipped with the following:

  • The laptop will probably need at least 8GB of RAM, as you'll need to be able to run your host OS along with two VMs.
  • Please try to have a USB port available. I will have USB 3.0 drives with me the day of the workshop. These drives will be FAT-formatted (nothing fancy) and contain the files required for the workshop. I will also pop the files on to a cloud-based file sharing service ahead of the workshop for folks whom like to setup early.
  • VM software! You'll need software to run a VM, such as VMware or VirtualBox. Doesn't matter if you're on a Mac with VMware Fusion, Windows, Linux, whatever. As long as you can run a VM (and take at least one snapshot), we're solid!

VM Setup

You will need to have 2 VMs ready to rock:

Windows Malware VM

You will need a Windows malware VM (10 preferred, 7+ will work).


You will want an up-to-date copy of the REMnux VM:

VMs available

If you REALLY cannot prep for the workshop (and damn you if this is the case), again, I'll have 20 or so USB 3.0 drives available with VMs that you can use. Please note that the VMs will be around 10GB+. Even though they are USB 3.0 drives, it will take a while to copy the required files to get setup. So... you know. PREP dang you!