Basic Office maldoc analysis



  • Here i found an interesting, despite basic, guide on how to “manually” analyze the contents of an office document.
    Enjoy:
    https://isc.sans.edu/forums/diary/Basic+Office+maldoc+analysis/22596/


  • administrators

    Awesome and simple resource. Thank you! Remnux Linux distro has awesome doc analysis tools like the one shown in the article. This is an area of malware where I am going to be more deeply researching soon.



  • nice article yes OLE is dangerous we have a book that explains it really well called Essential COM


  • administrators

    @wunderbar pretty useful, might have to add that to the book list. So many books, so little time. I’m sure it’s good for reference though.



  • yep, the real problem are not the resources but the fkin time! :)



  • I just want to add one thing to the discussion if it’s okay. :)

    You can use API Monitoring tools and intercept NtCreateUserProcess (NTDLL) and NtResumeThread (NTDLL). When NtCreateUserProcess break-point/hook is triggered then you can check the image file path/command line information to see the PE on disk being executed for a process spawn, and the NtResumeThread interception prevents the new process from executing any of it’s own code until you’re ready to analyse it.

    Microsoft Office exploits tend to abuse the privilege to download additional malware and then execute it/execute built-in utilities like PowerShell so I thought it could be helpful for me to mention this. It can help you easily intercept process creation if it happens with a malicious MS document.



Looks like your connection to Malware Analysis Forums was lost, please wait while we try to reconnect.