Analyzing Malicious Microsoft Office Documents
Hi squad,
Hi squad,
Today we gonna be looking at how to analyse Microsoft office files.
Let’s start
Metadata Analysis
We can use “exiftool” to get the metadata about the file.
We got information about Author.
The same information can be gather by viewing the properties.
Scanning for Malicious content
The Officemalscanner.exe is a tool commonly used to perform an in-depth scan on Microsoft office documents. The tool can scan the file for VB scripts and known exploit signatures.
It can also scan the document looking for PE headers even if they are encoded. We’ll use the Info option to scan for VB-Macro Scripts.
It finds no VB-Macro.
Next, We’ll use the scan option to look for known malicious signatures and PE header.
There is something malicious inside the file. The index shows us the severity where anything greater than 10 is bad.
In order to tell what the hidden payload is, we need to extract it first. The report mentioned that the suspicious code was found at the index 0x23C. To extract the complete code, we can add the debug option instead of going and extracting it manually.
Examining the malicious embedded code
The easiest way to analyze the file without examining the assembly code is to turn it into an exe file. Scanning an exe file may sometimes be easier than tracing assembly code. We can use the Malhost-Setup.exe tool to perform this task.
We can analyse the generated code.exe in PE studio
We see lot of red flags.
Let’s analyse it with a anti-virus scanner
As given above, it is a Trojan.
Extra Mile
We can look at the assembly file.
FLDZ instruction pushes a 0 on the FPU register stack and the FNSTENV stores the FPU environment to the address given as parameter.
These instruction help in doing a Backflip into the stack to execute our shellcode. [1]
Please give a clap if you found it to be useful and follow me to get more hacking knowledge.