Extracting Files Embedded Inside Word Documents

    Published: 2024-12-03. Last Updated: 2024-12-03 07:13:50 UTC
    by Didier Stevens (Version: 1)
    0 comment(s)

    I found a sample that is a Word document with an embedded executable. I'll explain how to extract the embedded executable with my tools.

    First I check with file-magic.py:

    The identification says Word 2007+, so this is an OOXML document. These are ZIP containers that can be analyzed with zipdump.py to take a look inside:

    Stream 6 (oleObject1.bin) is an OLE object that embeds the executable. There's no need to extract that OLE file from the OOXML container, oledump.py can handle this:

    The O indicator for stream A2 tells us that this stream is the OLE data structure embedding the executable.

    Selecting this stream and using option -i gives us info about the OLE contained, and the contained file:

    This metadata gives you the names of the embedded file and it hashes, allowing me to look it up directly on VirusTotal, for example: 3d5fe12c0aa783252431834ed8e370102f47df65165680824b9287faa88e088a.

    The file can also be extracted with option -e:

    Malicious Word documents like these don't execute the embedded file when the document is opened: that requires social engeneering to entice the use to double-click the embedded file.

     

    Didier Stevens
    Senior handler
    blog.DidierStevens.com

    Keywords:
    0 comment(s)
    ISC Stormcast For Tuesday, December 3rd, 2024 https://isc.sans.edu/podcastdetail/9238

      Comments

      Login here to join the discussion.


      Diary Archives