How to analyze malicious file downloads

Many NIDS Events will let you know that a file has been downloaded to an asset.  You may be researching a BAD IP event and you see related 'download' events that you need to research.  Here are some examples.  

• ET POLICY PDF With Embedded File;
• ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile;
• ET POLICY Binary Download Smaller than 1 MB Likely Hostile;
• ET ATTACK_RESPONSE Windows LMHosts File Download - Likely DNSChanger Infection;
• ET CURRENT_EVENTS rechnung zip file download;
• ET INFO Microsoft Compact Office Document Format File Download;
• ET MALWARE UPX encrypted file download possible malware;
• Suricata ruleset contains  a lot of rules which are created to detect the download of suspicious files and files with high security risk (e.g. executable files smaller than 1 MB)

You can see some of these with the following query: https://dsap.netwatcher.com/5Sqy7 

Here are the basic steps to follow in your research:

• Download the session PCAP and extract the file of interest from it.  There are multiple ways to do this and you can find them all in this great SANS article: https://www.sans.org/reading-room/whitepapers/forensics/extracting-files-network-packet-captures-36562 
• Upload the extracted file to online file analyses tools:
  • https://www.virustotal.com/#/home/upload
  • https://www.hybrid-analysis.com/
  • https://sandbox.anlyz.io/#!/malware-dashboard
  • https://apkscan.nviso.be/report/show/c13c753c8e4f075cbf527527a88318dc for Android files (.apk extension)
  • https://www.malwaretracker.com/index.php (PDF and common formats)
  • http://jsunpack.jeek.org/ (JavaScript analyses, you can download code or file. Can be used for other file formats).

• Analyzing JavaScript:
  • http://jsbeautifier.org/ - This little beautifier will reformat and re-indent bookmarklets, ugly JavaScript, unpack scripts packed by Dean Edward’s popular packer, as well as deobfuscate scripts processed by javascriptobfuscator.com
  • http://jsunpack.jeek.org/ - Jsunpack by Blake Hartstein is designed for automatically examining and deobfuscating JavaScript. Its features also include carving contents of network packet capture (PCAP) files and identifying common client-side exploits. It can also examine PDF files for malicious JavaScript artifacts. (The example I uploaded used Flash, rather than PDF, so Jsunpack didn’t locate malicious artifacts in this case.
• Analyzing PDF Documents:
  • https://blog.didierstevens.com/programs/pdf-tools/  - Very useful set of tools for PDF analyses.  
• Analyzing Microsoft Office Documents:
  • https://github.com/decalage2/oletools/wiki - oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging. It is based on the olefile parser. See http://www.decalage.info/python/oletools for more info.