Skip to main content

Posts

Showing posts from July, 2018

Malicious office document analysis Part-3

Introduction This post covers how to identify and extract potential malicious content like embedded executable and payloads from Macro forms in office documents. Refer Part-1 and Part-2 to get an understanding of  tools and approach to analyse phishing documents. Tools  Didier Stevens Suite    sudo pip install oletools  Analysis  All document samples are pulled from  Hybrid Analysis  - a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.  Hash:  345b804a9416595840516674caaa65e65be57591d300beab2b6190298a9eac78 Download above mentioned sample and check the integrity Check the file properties using native Linux  file  command which gives quick idea about sample Ran o ledump.py  to check the embedded macros and macro related forms It was found that stream 14 and 15 look like macro forms.  Dump them using -d option to check anything suspicious content in it Wow ! Hex 4