Office and OLE File Forensic Analysis Primer – 4

by InterDimensional_Shambler
Categories: Analysis, Malware Reverse Engineering
Tags: No Tags
Comments: 1 Comment

Office and OLE File Forensic Analysis Primer – 4

This is a continuation of the Office and OLE File Forensic Analysis Primer. This post will cover the third scenario which is an office DOCX file with a malicious macro.

Scenario 3 (DOCX):

MD5: e8377c5bc65819f51fae7b6d801d08f7

  1. Open the file with a hex editor. Note the difference not only in header/footer but general layout differences. This is the nice thing about later office documents (no need for “special tools” to do BASIC analysis on the components of the office document.
  2. Open the file with 7-zip and inspect all items (doing this a couple of times with different documents will reveal how easy it is to identify malicious objects). Some personal notes (that seem to always be true):

    1. All of the _rels file point to files inside of the document (relationship files). These should be benign.
    2. There isn’t a way that I’m aware of to hide any maliciousness inside of the XML files. (but inspect them non-the-less they should be human-readable).
    3. Red Flag (vbaproject.bin (MACRO))
      1. Opening this in a hex editor makes it look like an OLE file signature.
      2. Open this with 7-zip to extract objects (but they won’t be human-readable).
  1. Get the “RAW CODE”:
    1. There are two available options for doing this:
      1. See if code loads inside of Microsoft word (loading any potentially malicious file could alter itself)
      2. Use OfficeMalScanner to extract the code.
    2. In this example opening it with office will suffice (plus it is valuable to know what the user experiences).

    1. This is what a “simple” macro will look like (please enable macros), for this scenario while the document is open press ALT + F11 to open Microsoft Visual Basic for Applications
    2. Lucky! There’s no password-protection on the macro (even though it can be easily bypassed and the directions for that will be in a future post). From here the call-out is EASILY visible:


Basic analysis of office-type malware is (mostly) simple. The most difficult things to analyze are shellcode, obfuscation (reversing code), and getting some of the third-party tools to do what is needed.

Knowing what these files are (and how to extract the embedded files) really helps the analysis because when using the analysis tools the output can then be analyzed with an expectation of results and know when they have failed (this is to not miss something).

There are much more complicated examples of malicious office documents, if there is one that you would like analyzed let us know in the comments. The next post will be about office analysis will cover manual removal of passwords on macros, and how to analyze MSO files.

1 Comment »

  1. Mags says:

    Have you ever come across a (File>Open) password protected .docx file?

    None of the common analysis tools work for these files since the data inside the container is encrypted.
    I am trying to analyze a file from an email attachment, where the password is given as plain text in the email body.
    We get more than a handful of these emails per week, but this is the first time that they came as password protected .docx file attachments.

    Is there any way to safely strip/remove the password (since it is known), so that the common analysis tools can be used to break down the structure and reveal the exploit?

    Might be a great idea for a future walk-through post on here.. If you would like to take a look at the file (password included), please shoot me an email.

Leave a Reply

Your email address will not be published. Required fields are marked *

Today is Tuesday