Posts

Showing posts from July, 2018

Malicious office document analysis Part-3

Image
Introduction
This post covers how to identify and extract potential malicious content like embedded executable and payloads from Macro forms in office documents. Refer Part-1 and Part-2 to get an understanding of  tools and approach to analyse phishing documents.

Tools 
Didier Stevens Suite sudo pip install oletools Analysis 
All document samples are pulled from Hybrid Analysis - a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology. 
Hash: 345b804a9416595840516674caaa65e65be57591d300beab2b6190298a9eac78
Download above mentioned sample and check the integrity Check the file properties using native Linux file command which gives quick idea about sample Ran oledump.py  to check the embedded macros and macro related forms
It was found that stream 14 and 15 look like macro forms.  Dump them using -d option to check anything suspicious content in it
Wow ! Hex 4d5a was observed which is traditional ASCII MZ header…