Malicious Office Do...
 
Notifications
Clear all

Malicious Office Documents

7 Posts
4 Users
0 Likes
835 Views
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

I've been asked to look into some word documents that could contain malware. I've run the OfficeMalScanner application and located ~40 documents that dont contain macros, but have a malware index and have shellcode located within.
Does anyone know how to examine the shell code found within the doc files?

I'm a little at a loss to determine if any of these have cause an infection

 
Posted : 02/02/2015 9:51 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

This might help

http//windowsir.blogspot.com/2015/01/what-it-looks-like-disassembling.html

 
Posted : 02/02/2015 4:34 pm
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

Thanks Harlan,
That was my first port of call
Unfortunately my files are DOC* and not DOCX and the files dont contain macros. When I've opened them up there's very little inside.
It's really the shellcode that I'm a little stuck on, and why the officemalscanner is suggesting the files contain malware because it detects a decryption loop

Has anyone found any references for the officemalscanners index? I'd like to find the scale that it's reported on but havent had any luck so far

I'll have to find a few other sample "known good" doc files and see if that's a standard feature that may occur

Edit Although I did find that changing .doc to .zip allows you to open them as well, which I did not know

 
Posted : 03/02/2015 2:06 am
(@woany)
Posts: 28
Eminent Member
 

Have you tried oledump by Didier Stevens?

http//blog.didierstevens.com/programs/oledump-py/

The following link shows how it was used to investigate a malicious document

https://isc.sans.edu/diary/oledump+analysis+of+Rocket+Kitten+-+Guest+Diary+by+Didier+Stevens/19137

Mark

 
Posted : 03/02/2015 12:16 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

RA,

That blog post lists a number of tools…some of which are specific to the older, .doc/OLE file format, rather than the newer PK/XML format.

 
Posted : 03/02/2015 4:38 pm
(@athulin)
Posts: 1156
Noble Member
 

Edit Although I did find that changing .doc to .zip allows you to open them as well, which I did not know

Normal .doc documents don't do that. .docx files renamed to .doc may, as they are ZIP archives to begin with.

However, there are tools like 7-zip that can open .doc files as well as .zip files, and which may give the impression that a change of extension does the change.

Which confuses the situation nicely.

 
Posted : 03/02/2015 9:05 pm
(@randomaccess)
Posts: 385
Reputable Member
Topic starter
 

Edit Although I did find that changing .doc to .zip allows you to open them as well, which I did not know

Normal .doc documents don't do that. .docx files renamed to .doc may, as they are ZIP archives to begin with.

However, there are tools like 7-zip that can open .doc files as well as .zip files, and which may give the impression that a change of extension does the change.

Which confuses the situation nicely.

Yeah, when opening a .doc in a zip manager it just shows a couple files which for the most part dont appear helpful

 
Posted : 04/02/2015 2:46 am
Share: