DocFileViewer is a document forensic analysis tool it is used to analyze [.]doc file extension. This is a GUI tool that can parse and view the OLE structure of Microsoft Doc files.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
Open or drag the document inside the tool.
oledump.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze OLE files. These files contain streams of data. Oledump allows you to analyze these streams. Many applications use this file format, the best known is MS Office.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
#note: oledump.py will require olefile.py module to run.
Methods to fix this issue:
1. Download python and install olefile: use pip install olefile
2. Download olefile.py and paste it to olydump.py folder
To use the tool, open command prompt and run the following syntax: oledump.py -h
PDFStreamDumper is a tool used for the analysis of malicious PDF documents. It has specialized tools for dealing with obfuscated JavaScript, low-level PDF headers and objects, and shellcode. In terms of shellcode analysis, it has an integrated interface for libemu sctest, an updated build of iDefense sclog, and a shellcode_2_exe feature.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
Drag or open the document inside the tool.
pdf-parser.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze [.]pdf file extensions. This tool will parse a PDF document to identify the fundamental elements used in the analyzed file.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
pdfid.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze [.]pdf file extensions. This tool scans a file to look for PDF keywords, allowing you to identify PDF documents that contain JavaScript or execute an action when opened.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
MalHost-Setup is the last tool we will discuss in the OfficeMalScanner toolkit and what it does is converts the document’s malicious offset into an executable to expedite the process of analysis.
In an incident, time is critical to the responder and it must have the skills and the right set tools to perform such action to be able to quickly timeline the attack.
Open command prompt and run:
MalHost-Setup.exe <document_name> <exe_name> <offset_address>
DisView is bundled inside the OfficeMalScanner toolkit, it works by disassembling the code inside the malicious offset for further analysis.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
To use the tool:
Open command prompt run > DisView.exe <document_name> <offset_address>
RTFScan is a document forensic analysis tool to analyze [.]rtf file extensions. The toolkit includes OfficeMalScanner, RTFScan, DisView and MalHost tools that aid the analyst in analyzing documents in relation to phishing incidents.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such action to be able to quickly timeline the attack.
OfficeMalScanner is a document analysis part of OfficeMalScanner toolkit that is developed by Frank Boldewin. It is used to analyze [.]doc file extensions. The toolkit includes RTFScan, DisView, MalHost-Setup that aid the analyst in investigating documents that are related to phishing.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
Document Analysis using OfficeMalScanner Toolkit
RTFScan is a document forensic analysis tool for [.]rtf documents, this tool is also included inside the OfficeMalScanner Toolkit. The toolkit includes OfficeMalScanner, RTFScan, DisView, MalHost executable that aids the analyst to analyze documents related to phishing incidents.
By running the sample doc into OfficeMalScanner with info option, it detects a different file format and points us to use RTFScan.
Running RTFScan inside the cmd prompt:
RTFScan <sample_doc> scan
This gives us more details about our sample including the signature found inside the malicious offset.
It detects FS:[30] inside the offset 0xd48 where this means it tries to accesses the PEB of the process and this gives an indication that this sample was then injected with a shellcode that later be used to exploit the user’s system.
Also, RTFScan detects the malicious index and any index that is above 10 is considered malicious and In this case RTFScan detects 30.
Let’s run again RTFScan on the same file but now with the scan debug option.
We can see that it debugs the malicious offset and presents us the code inside the address and from there you can understand what does the code trying to do.
It also dumps a file that can be later use for further analysis.
Tool Demo Summary:
In this lab we combine OfficeMalScanner and RTFScan to perform a document analysis on [.]rtf file and gives us a rich information about the malicious offset residing inside.
⚠️ YOU ARE TRYING TO DOWNLOAD A FILE THAT CONTAINS MALICIOUS EXECUTABLE ⚠️
eyehatemalwares is “PAY WHAT YOU CAN” project.
The zip file associated with this lab is password protected.
For hands-on experience, click the “Donate” button and you will be redirected to eyehatemalwares Paypal donation homepage or scan the QR Code below.
Click the “Download” button again to download the lab zip file.
After successful donation, email us the zip file name and the Paypal transaction details for the password.
Thank you for helping us build this community!
We will make sure that your donation will be use to bring more value to the community.
Contact us: About
– EHM Team