| Finding | Severity |
|---|---|
| Suspicious small ISO (3–15MB) | Medium |
| 1–3 files only | Medium |
.lnk present | High |
.hta / .js / .vbs | High |
| DLL side-loading structure | Very High |
| Embedded executable | High |
| Fake double extension | High |
| ISO built with UltraISO | Medium |
| No publisher / blank metadata | Medium |
| Password-protected archive | Very High |
| Nested archive inside ISO | Very High |
Suspicious Patterns
- 3–15 MB ISOs
- Contain 1–3 files
- Usually
.lnk+.dllor.exe
# Identify
file sample.iso
# Enumerate
isoinfo -d -i sample.iso
# Mount It (Safely)
# Flags:
# - `loop` → treat file as block device
# - `ro` → read-only (important)
sudo mkdir /mnt/iso
sudo mount -o loop,ro sample.iso /mnt/iso
# Inspect
tree /mnt/iso
ls -la /mnt/iso
# Unmount
sudo umount /mnt/iso
Extract Instead of Mounting (Safer for Automation)
7z x sample.iso -oextracted_iso
# OR
bsdtar -xf sample.iso -C extracted_iso
Hunt
Common malicious ISO patterns:
.lnk.hta.js.vbs.cmd- Fake
.pdf.exe - DLL side-loading structures
# Identify
find extracted_iso -type f
# Enumerate
file suspicious_file
strings suspicious_file | less
Deep Inspection
# If ISO contains EXE/DLL:
sha256sum file.exe
# Then:
exiftool file.exe
# If packed:
binwalk file.exe
# If script-based:
less file.js