I've been asked to look into some word documents that could contain malware. I've run the OfficeMalScanner application and located ~40 documents that dont contain macros, but have a malware index and have shellcode located within.
Does anyone know how to examine the shell code found within the doc files?
I'm a little at a loss to determine if any of these have cause an infection
This might help
http//
Thanks Harlan,
That was my first port of call
Unfortunately my files are DOC* and not DOCX and the files dont contain macros. When I've opened them up there's very little inside.
It's really the shellcode that I'm a little stuck on, and why the officemalscanner is suggesting the files contain malware because it detects a decryption loop
Has anyone found any references for the officemalscanners index? I'd like to find the scale that it's reported on but havent had any luck so far
I'll have to find a few other sample "known good" doc files and see if that's a standard feature that may occur
Edit Although I did find that changing .doc to .zip allows you to open them as well, which I did not know
Have you tried oledump by Didier Stevens?
http//
The following link shows how it was used to investigate a malicious document
https://
Mark
RA,
That blog post lists a number of tools…some of which are specific to the older, .doc/OLE file format, rather than the newer PK/XML format.
Edit Although I did find that changing .doc to .zip allows you to open them as well, which I did not know
Normal .doc documents don't do that. .docx files renamed to .doc may, as they are ZIP archives to begin with.
However, there are tools like 7-zip that can open .doc files as well as .zip files, and which may give the impression that a change of extension does the change.
Which confuses the situation nicely.
Edit Although I did find that changing .doc to .zip allows you to open them as well, which I did not know
Normal .doc documents don't do that. .docx files renamed to .doc may, as they are ZIP archives to begin with.
However, there are tools like 7-zip that can open .doc files as well as .zip files, and which may give the impression that a change of extension does the change.
Which confuses the situation nicely.
Yeah, when opening a .doc in a zip manager it just shows a couple files which for the most part dont appear helpful