🔏
roguebook
  • group
    • Web
      • Concepts
      • OAuth 2.0
      • File upload
      • API testing
      • Web Cache Decpetion
      • CORS
      • CSRF
      • Cross site web socket hijacking
      • XS-Leaks
    • Bug Bounty
      • Recon
        • Dorking
          • SSL Checker
        • Wordlists
          • Twitter wordlist suggestions
      • Tips & Tricks
        • Combined
        • CSP Bypasses & open redirect
        • 403 Bypass
        • Arrays in JSON
        • Open Redirect
        • Next.js Application
        • Locla File Read
        • External Link
        • xss bypass
        • CSRF cors bypass
        • ssrf
      • Talks/Interviews/Podcasts
        • Bug Bounty Talks
        • Podcasts
          • Critical Thinking - Bug Bounty Podcast
            • Learning
      • Tools
    • Android
      • Getting Started
      • Intent Attack Surface
      • Broadcast Receivers
      • Android Permissions
      • Android Services
      • Content and FileProvider
      • WebView & CustomTabs
      • Insecure Storage
      • Tips & Tricks
    • Thick Client
      • Lab Setup
      • Information Gathering
      • Traffic analysis
      • Insecure Data storage
      • Input validation
      • DLL hijacking
      • Forensics
      • Extra resources
    • OSINT
      • OpSec
    • Malware Analysis
      • Lab Setup
      • Networking
      • Tools
      • Malware source
      • Basic Static Analysis
      • Basic Dynamic Analysis
      • Advanced Analysis
      • Advanced Static Analysis
      • Advanced Dynamic Analysis
      • Malicious Document Analysis
      • Shellcode Analysis
    • Malware Development
    • Blue Team
      • Tools
      • Malware Analysis
        • Basic Static Analysis
    • Assembly
      • Instructions
    • Binary Exploitation
    • Infographics
    • Malware Analysis
    • Threat Modeling
Powered by GitBook
On this page
  1. group
  2. Malware Analysis

Malicious Document Analysis

Malicous documents are ubiquitous source of infection. It's good to learn to analyze them.

Static Analysis

.xlsm m denotes that it is macro enabled document.

  1. We can unzip the excel documents to see it's contents and see if anything interesting appears.

  2. Use tools like oledump.py on remnux

oledump.py is a powerful tool developed by Didier Stevens used for analyzing OLE (Object Linking and Embedding) files. These are commonly found in Microsoft Office documents (e.g., .doc, .xls, .ppt) and can contain embedded objects like macros, scripts, or even malicious payloads.

🔍 Purpose of oledump.py

Primarily used in malware analysis and digital forensics, oledump.py helps:

  • Inspect internal streams in OLE files.

  • Detect and extract VBA macros, which may be obfuscated or malicious.

  • Analyze potential malware hidden inside Office documents (e.g., phishing attachments).

e.g.

remnux@remnux:~/Downloads$ oledump.py sheetsForFinancial.xlsm 
A: xl/vbaProject.bin
 A1:       468 'PROJECT'
 A2:        86 'PROJECTwm'
 A3: M    7829 'VBA/Module1'
 A4: m    1196 'VBA/Sheet1'
 A5: m    1204 'VBA/ThisWorkbook'
 A6:      3130 'VBA/_VBA_PROJECT'
 A7:      4020 'VBA/__SRP_0'
 A8:       272 'VBA/__SRP_1'
 A9:      3892 'VBA/__SRP_2'
A10:       220 'VBA/__SRP_3'
A11:       680 'VBA/__SRP_4'
A12:       106 'VBA/__SRP_5'
A13:       464 'VBA/__SRP_6'
A14:       106 'VBA/__SRP_7'
A15:       562 'VBA/dir'

it detects A3 stream has Macros, we can extract those

oledump.py -s A3 -v sheetsForFinancial.xlsm

It will show decompressed macros code

docm file similarly can have macros in them,

however docx file can still execute macros even though they themselves can't have macros in them.

e.g.

in this docx filw after unzipping we see settings file which uses dotm (Document Template + Macros) file from a remote server which serves macros and will be executed.

PreviousAdvanced Dynamic AnalysisNextShellcode Analysis

Last updated 1 day ago