Maldoc external relatonship with type oleobject

Introduction 

Phishing malicious documents can contain external relationship with type oleobject. A defender objective is to kill the attack at the early stage by blocking malicious domains at perimeter, this post levarages Cyberchef  to extract payload urls quickly from malicious office documents

CyberChef is an open source tool maintained by GCHQ. It provides a drag and drop interface via a web browser (Firefox & Chrome) to quickly perform a wide range of data manipulation functions called 'operations'. A sequence of operations is called a 'recipe'. As all the processing is client-side, CyberChef can be downloaded and used offline or in an air-gapped forensic network. CyberChef has operations useful for disk forensics, malware & network analysts, and even OSINT researchers.

Tools 

  1. Cyberchef  

Analysis 

All document samples are pulled from Hybrid Analysis - a free malware analysis service for the community that detects and analyzes unknown threats using a unique Hybrid Analysis technology.

0ddf7e87957932650679c99ff2e2380e2be8a203d1142f19a22ad602047f372e
7046db7a12910e4ceea386bd7ed83b4a2c478c85096b371bf9ea4850f9e2039a
98341b7c83f0f3b1e4ca16d6599c713218e08884126cc6777dec32a870c11ec3


Observe CVE-2017-8759 in above maldoc Microsoft Excel 2007+ sample (Reference: FireEye)

Conclusion 
Happy defending ! 


 




Comments

Popular posts from this blog

Memory Analysis of WannaCry Ransomware

Memory dump analysis of Donny's System

Malicious document analysis Part - 1