General Approach to Document Analysis
- Inspect document manually for anomalies
- Extract the suspicious code or objects
- Deobfuscate the payload if required
- If required emulate, disassemble or debug the extracted payload
- Reverse engineer the malware
Binary Microsoft office files (
.xls) are in the OLE2 format.
OOXML Office files (
xlsm) are compressed
- VBA Macros are stored in an OLE2 binary file within the archive
- Excel allows XLM macros without the OLE2 binary file
- RTF documents cannot contain macros, but can contain embedded files and objects
|Examine contents of OOXML file file.pptx.|
|Extract file with index 3 from file.pptx to STDOUT.|
|Locate and extract macros from file.xlsm.|
|List all OLE2 streams present in file.xls.|
|Extract VBA source code from stream 3 in file.xls.|
|Format XML file supplied via STDIN for easier analysis.|
|Find obfuscated URLs in file.xls macros.|
|Extract VBA macros in clear text with deobfuscation and analysis|
|Extract file revision history|
|High-level IOC extraction, good first place to look.|
|Emulate the execution of macros in file.doc to analyze them.|
|Remove the password prompt from macros in file.ppt.msoffcrypto-tool|
|using specified password to create outfile.docm.|
|Disassemble VBA-stomped p-code macro from file.doc.|
|Decompile VBA-stomped p-code macro from file.doc.|
|Extract objects embedded into RTF file.rtf.|
|List groups and structure of RTF file file.rtf.|
|Examine objects in RTF file file.rtf.|
|Extract hex contents from group in RTF file file.rtf.|
|Deobfuscate XLM (Excel 4) macros in file.xlsm.|
Often, you can upload a malicious document to sites like
virustotal.com and they'll already have a large detailed report of it's decomposition.
/AA specify the script or action to run automatically.
/URI accesses a URL, perhaps for phishing.
/GoToR can send data to URL.
/ObjStm can hide objects inside an object stream.
/XObject can embed an image for phishing.
Be mindful of obfuscation with hex codes, such as
/J#61vaScript. (See examples.)