Office Documents with Embedded Objects

Published: 2020-09-12
Last Updated: 2020-09-12 13:35:26 UTC
by Didier Stevens (Version: 1)
0 comment(s)

A reader asked about another malicious file, thinking it is an intentionally corrupt ZIP file.

If you follow the steps I showed in diary entry "Office: About OLE and ZIP Files", you will see that it is not a corrupt ZIP file, but an OLE file containing 2 ZIP files.

 

Once you have listed the PKZIP records with -f L, you will see 2 end-of-central-directory records (PK0506 end), indexed with 1 and 2. You can use this index to select and analyze the found ZIP file, like this:

 

The first ZIP file appears to contain DLLs, and the second ZIP file contains theme data, as I explained in diary entry "Office: About OLE and ZIP Files".

This is indeed an OLE file:

It is a spreadsheet (stream Workbook) with VBA code:

But it also contains an embedded object: remark indicator O for stream 4.

My tool oledump.py can handle embedded objects. Use option -I (info) to get more information:

It is a ZIP file: not only by the file extension .zip, but also by the first 4 bytes of the file: 504B0304

With option -e (extract), you can extract the embedded file to stdout:

This is the first ZIP file we looked at with zipdump.py.

It contains a 64-bit and a 32-bit DLL:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

Keywords:
0 comment(s)

Comments

cwqwqwq
eweew<a href="https://www.seocheckin.com/edu-sites-list/">mashood</a>
WQwqwqwq[url=https://www.seocheckin.com/edu-sites-list/]mashood[/url]
dwqqqwqwq mashood
[https://isc.sans.edu/diary.html](https://isc.sans.edu/diary.html)
[https://isc.sans.edu/diary.html | https://isc.sans.edu/diary.html]
What's this all about ..?
password reveal .
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure:

<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.

<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
https://thehomestore.com.pk/

Diary Archives