Basic Office maldoc analysis

Published: 2017-07-10
Last Updated: 2017-07-10 22:21:39 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Malicious Office documents come in all type of flavors, sometimes very simple: they contain just an embedded file (for example an EXE), without any script or exploit to automatically launch the embedded file. The user is persuaded through social engineering to extract and execute the embedded file.

Analyzing such files in a sandbox will often not reveal the malicious payload, as the sandbox engine needs to recognize and open the embedded file.

Static analysis is simple however. Let's take a docx file as example. With zipdump.py, we can see the content:

The name of file 6 is oleObject1.bin: this is an OLE file.This can be analyzed with oledump.py:

Stream A2 has an O indicator: this means that the stream contains an embedded object (OLE2). We can select the stream and query info:

From the filename (Dialog42.exe) and the header (MZ / 4D5A), we can assume the embedded file is an executable.

This is confirmed by piping the file through pecheck.py:

If you want to practice this type of analysis, it's easy to create your own samples: with Word, use command: Insert / Object / Object / Create from file ...

Inserting object like this can result in other types of documents, which I will cover in an upcoming diary.

 

Didier Stevens
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords: maldoc
0 comment(s)
ISC Stormcast For Tuesday, July 11th 2017 https://isc.sans.edu/podcastdetail.html?id=5576

Comments

cwqwqwq

www

Nov 17th 2022
6 months ago

eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>

EEW

Nov 17th 2022
6 months ago

WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]

qwq

Nov 17th 2022
6 months ago

dwqqqwqwq mashood

mashood

Nov 17th 2022
6 months ago

[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)

isc.sans.edu

Nov 23rd 2022
6 months ago

[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]

isc.sans.edu

Nov 23rd 2022
6 months ago

What's this all about ..?

isc.sans.edu

Dec 3rd 2022
5 months ago

password reveal .

isc.sans.edu

Dec 3rd 2022
5 months ago

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission

isc.sans.edu

Dec 26th 2022
5 months ago

https://thehomestore.com.pk/

isc.sans.edu

Dec 26th 2022
5 months ago

Login here to join the discussion.


Diary Archives