Office and OLE File Forensic Analysis Primer – 1

by InterDimensional_Shambler
Categories: Analysis, Malware Reverse Engineering
Tags: No Tags
Comments: Leave a Comment

Office and OLE File Forensic Analysis Primer

Warning! Actual malware will be executed following these instructions, use caution and a sandbox with NO INTERNET.

This is the Office and OLE File Forensic Analysis Primer. It’s intended to get from:

“How do I analyze an office file?”


“Hey I can tell the difference between a malicious, a suspicious, and a legitimate office file.”

This will not cover shellcode extraction and analysis (that might get covered in a future post)

This will mostly focus on how to do this manually (without automated tools), but the VERY useful tools are necessary to complement the analysis.



Since there are a lot of things to cover; the analysis will be broken up into a couple of posts. The Scenarios covered will be from the recent up-rise in macro-based office malware:

Office File Structures & Background

Before the scenarios are covered some background information must be covered.

The reason these three scenarios were chosen because it will show the differences and similarities between the most common Microsoft Office files.

What are the differences/similarities between DOC/XLS and DOCX/XLSX files?

  • Older office files (DOC/XLS) are actuallyan OLE Compound File
  • Newer office files (DOCX/XLSX) are actually ZIP archives (with XML files to retain structure)
  • Luckily 7-zip recognizes both file structures and can be opened and (almost) all of the files without missing any data.
    • Note: With the OLE Compound File structure there will be some “hidden” data that might not extract (Due to compression…”magic”).
    • For this scenario SSView is helpful.

Manual Analysis Methodology

Doing a manual approach can be daunting; so here are some things to keep in mind:

  • Know your (expected) end goal:
    • Call-outs, dropped file(s), or shellcode is typically what is malicious.
  • “Rabbit holes” / How to tell when analysis is exhausted:
    • Were ALL of the items looked at?
      • During the analysis of these items were ALL questions answered?
    • Did you run out Time, Money, or Data?

To Be Continued…

The next post in this series will cover the first scenario (DOC file).

Office and OLE File Forensic Analysis Primer – 2

Leave a Reply

Your email address will not be published. Required fields are marked *

Today is Monday