Malicious office document analysis Part-3

Introduction
This post covers how to identify and extract potential malicious content like embedded executable and payloads from Macro forms in office documents. Refer Part-1 and Part-2 to get an understanding of  tools and approach to analyse phishing documents.

Tools 
  1. Didier Stevens Suite  
  2. sudo pip install oletools 
Analysis 

All document samples are pulled from Hybrid Analysis - a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology. 


Download above mentioned sample and check the integrity
Check the file properties using native Linux file command which gives quick idea about sample
Ran oledump.py  to check the embedded macros and macro related forms
It was found that stream 14 and 15 look like macro forms.  Dump them using -d option to check anything suspicious content in it
Wow ! Hex 4d5a was observed which is traditional ASCII MZ header for windows executable, DLL or sys files. Ran  base64dump.py to decode the hex coded content to check the ASCII header
Dumped the identifier 1 in ASCII
Ran pecheck.py to check the PE file basic properties, history, header, sections info, imports and exports
Dump the PE file for further analysis

Comments

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Memory dump analysis of Donny's System

Malicious document analysis Part - 1