±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 3 Overall: 35765
New Yesterday: 3 Visitors: 149

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Malicious Office Documents

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

randomaccess
Senior Member
 

Malicious Office Documents

Post Posted: Feb 02, 15 10:51

I've been asked to look into some word documents that could contain malware. I've run the OfficeMalScanner application and located ~40 documents that dont contain macros, but have a malware index and have shellcode located within.
Does anyone know how to examine the shell code found within the doc files?

I'm a little at a loss to determine if any of these have cause an infection  
 
  

keydet89
Senior Member
 

Re: Malicious Office Documents

Post Posted: Feb 02, 15 17:34

 
  

randomaccess
Senior Member
 

Re: Malicious Office Documents

Post Posted: Feb 03, 15 03:06

Thanks Harlan,
That was my first port of call
Unfortunately my files are DOC* and not DOCX and the files dont contain macros. When I've opened them up there's very little inside.
It's really the shellcode that I'm a little stuck on, and why the officemalscanner is suggesting the files contain malware because it detects a decryption loop

Has anyone found any references for the officemalscanners index? I'd like to find the scale that it's reported on but havent had any luck so far

I'll have to find a few other sample "known good" doc files and see if that's a standard feature that may occur

Edit: Although I did find that changing .doc to .zip allows you to open them as well, which I did not know  
 
  

woany
Member
 

Re: Malicious Office Documents

Post Posted: Feb 03, 15 13:16

Have you tried oledump by Didier Stevens?

blog.didierstevens.com...ledump-py/

The following link shows how it was used to investigate a malicious document:

isc.sans.edu/diary/ole...vens/19137

Mark  
 
  

keydet89
Senior Member
 

Re: Malicious Office Documents

Post Posted: Feb 03, 15 17:38

RA,

That blog post lists a number of tools...some of which are specific to the older, .doc/OLE file format, rather than the newer PK/XML format.  
 
  

athulin
Senior Member
 

Re: Malicious Office Documents

Post Posted: Feb 03, 15 22:05

- randomaccess
Edit: Although I did find that changing .doc to .zip allows you to open them as well, which I did not know


Normal .doc documents don't do that. .docx files renamed to .doc may, as they are ZIP archives to begin with.

However, there are tools like 7-zip that can open .doc files as well as .zip files, and which may give the impression that a change of extension does the change.

Which confuses the situation nicely.  
 
  

randomaccess
Senior Member
 

Re: Malicious Office Documents

Post Posted: Feb 04, 15 03:46

- athulin
- randomaccess
Edit: Although I did find that changing .doc to .zip allows you to open them as well, which I did not know


Normal .doc documents don't do that. .docx files renamed to .doc may, as they are ZIP archives to begin with.

However, there are tools like 7-zip that can open .doc files as well as .zip files, and which may give the impression that a change of extension does the change.

Which confuses the situation nicely.


Yeah, when opening a .doc in a zip manager it just shows a couple files which for the most part dont appear helpful  
 

Page 1 of 1