Malicious Office Do...
 
Notifications
Clear all

Malicious Office Documents  

  RSS
randomaccess
(@randomaccess)
Active Member

I've been asked to look into some word documents that could contain malware. I've run the OfficeMalScanner application and located ~40 documents that dont contain macros, but have a malware index and have shellcode located within.
Does anyone know how to examine the shell code found within the doc files?

I'm a little at a loss to determine if any of these have cause an infection

Quote
Posted : 02/02/2015 9:51 am
keydet89
(@keydet89)
Community Legend

This might help

http//windowsir.blogspot.com/2015/01/what-it-looks-like-disassembling.html

ReplyQuote
Posted : 02/02/2015 4:34 pm
randomaccess
(@randomaccess)
Active Member

Thanks Harlan,
That was my first port of call
Unfortunately my files are DOC* and not DOCX and the files dont contain macros. When I've opened them up there's very little inside.
It's really the shellcode that I'm a little stuck on, and why the officemalscanner is suggesting the files contain malware because it detects a decryption loop

Has anyone found any references for the officemalscanners index? I'd like to find the scale that it's reported on but havent had any luck so far

I'll have to find a few other sample "known good" doc files and see if that's a standard feature that may occur

Edit Although I did find that changing .doc to .zip allows you to open them as well, which I did not know

ReplyQuote
Posted : 03/02/2015 2:06 am
woany
(@woany)
Junior Member

Have you tried oledump by Didier Stevens?

http//blog.didierstevens.com/programs/oledump-py/

The following link shows how it was used to investigate a malicious document

https://isc.sans.edu/diary/oledump+analysis+of+Rocket+Kitten+-+Guest+Diary+by+Didier+Stevens/19137

Mark

ReplyQuote
Posted : 03/02/2015 12:16 pm
keydet89
(@keydet89)
Community Legend

RA,

That blog post lists a number of tools…some of which are specific to the older, .doc/OLE file format, rather than the newer PK/XML format.

ReplyQuote
Posted : 03/02/2015 4:38 pm
athulin
(@athulin)
Community Legend

Edit Although I did find that changing .doc to .zip allows you to open them as well, which I did not know

Normal .doc documents don't do that. .docx files renamed to .doc may, as they are ZIP archives to begin with.

However, there are tools like 7-zip that can open .doc files as well as .zip files, and which may give the impression that a change of extension does the change.

Which confuses the situation nicely.

ReplyQuote
Posted : 03/02/2015 9:05 pm
randomaccess
(@randomaccess)
Active Member

Edit Although I did find that changing .doc to .zip allows you to open them as well, which I did not know

Normal .doc documents don't do that. .docx files renamed to .doc may, as they are ZIP archives to begin with.

However, there are tools like 7-zip that can open .doc files as well as .zip files, and which may give the impression that a change of extension does the change.

Which confuses the situation nicely.

Yeah, when opening a .doc in a zip manager it just shows a couple files which for the most part dont appear helpful

ReplyQuote
Posted : 04/02/2015 2:46 am
Share: