Office and OLE File Forensic Analysis Primer – 3

by InterDimensional_Shambler
Categories: Analysis, Malware Reverse Engineering
Tags: No Tags
Comments: Leave a Comment

Office and OLE File Forensic Analysis

Primer – 3

This is a continuation of the Office and OLE File Forensic Analysis Primer.


This post will cover the second scenario which is an office XLS file with a malicious macro.

Scenario 2 (XLS):

MD5: a29094974ba5eda35d3440f95531277d

  1. Open the file with a hex editor.
    1. There appears to be VBA Macro (from the string)
    2. At the bottom of this file appears to be shell code (garbage text) then a call-out

    1. The file size is quite large (for a simple macro-based doc file…might have embedded file)
  1. Open file with 7-zip. Notice how similar the naming and layout is to the DOC file. NOTE THE MACRO (this is a huge red flag):

    1. There’s alsoactls file (whichwillnotextract properly with 7-zip)
      1. To extract this use ssview and save stream

  1. Get the “RAW CODE”:
    1. OfficeMalScanner will extract a partial code metadata.

    1. OfficeMalScanner will also show some shellcode stuff (which is where this tutorial stops since this is basics)

    1. Since this is shellcode the call-out will have to be enough for now.
  1. Normally this iswheretheshellcode would be analyzed (but a futurewillpostshellcode analysis)
    1. In the real world this is when the file should be analyzed in a sandbox and take those results.
  2. Do a review
    1. Need to figure out what the shellcode does; this might be covered in a future post or could be done in a sandbox.

To Be Continued…

The next post in this series will cover the third scenario (DOCX file).

Leave a Reply

Your email address will not be published. Required fields are marked *

Today is Monday