Introduction
This post covers how to identify and extract potential malicious content like embedded executable and payloads from Macro forms in office documents. Refer Part-1 and Part-2 to get an understanding of tools and approach to analyse phishing documents.
Tools
This post covers how to identify and extract potential malicious content like embedded executable and payloads from Macro forms in office documents. Refer Part-1 and Part-2 to get an understanding of tools and approach to analyse phishing documents.
Tools
- Didier Stevens Suite
- sudo pip install oletools
Analysis
All document samples are pulled from Hybrid Analysis - a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.
Download above mentioned sample and check the integrity
Check the file properties using native Linux file command which gives quick idea about sample
Ran oledump.py to check the embedded macros and macro related forms
It was found that stream 14 and 15 look like macro forms. Dump them using -d option to check anything suspicious content in it
Wow ! Hex 4d5a was observed which is traditional ASCII MZ header for windows executable, DLL or sys files. Ran base64dump.py to decode the hex coded content to check the ASCII header
Dumped the identifier 1 in ASCII
Ran pecheck.py to check the PE file basic properties, history, header, sections info, imports and exports
Dump the PE file for further analysis
It was found that stream 14 and 15 look like macro forms. Dump them using -d option to check anything suspicious content in it
Wow ! Hex 4d5a was observed which is traditional ASCII MZ header for windows executable, DLL or sys files. Ran base64dump.py to decode the hex coded content to check the ASCII header
Ran pecheck.py to check the PE file basic properties, history, header, sections info, imports and exports
Dump the PE file for further analysis
Comments
Post a Comment