Identifying file types:
Extracting Malicious Files from distribution packages
- Apple Disk Images (.dmg) : macOS’s built-in hdiutil command, which allows us to examine the disk image structure and extract the !les’ contents, such as a malicious installer or application, for analysis.
hdiutil attach CreativeUpdate/Firefox\ 58.0.2.dmg - Packages(.pkg): use pkgutil, or Suspicious Package, Packages often contain pre- and post-install bash scripts.
- Scripts:
- Bash Scripts: Platypus can be used to package scripts into .app macos applications
- AppleScript:
- Some context on reversing run-only applescripts : Adventures in Reversing Malicious Run-Only AppleScripts
- AppleScript Decompiler by Jinmo
aevt_decompile- [Further Reference](How AppleScript Is Used for Attacking macOS)
- Perl Scripts:
- For very random obfuscated shit , we can use online perl beautifier programs. Eg. https://codebeautify.org/perl-formatter-beautifier
- Microsoft Office Documents:
- oletools can be used to inspect macros and shit
- Mac Applications :
- can be analysed statically using Apparency
- to view all files
find Final_Presentation.app/