DocFileViewer is a document forensic analysis tool it is used to analyze [.]doc file extension. This is a GUI tool that can parse and view the OLE structure of Microsoft Doc files.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
oledump.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze OLE files. These files contain streams of data. Oledump allows you to analyze these streams. Many applications use this file format, the best known is MS Office.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
#note: oledump.py will require olefile.py module to run.
Methods to fix this issue:
1. Download python and install olefile: use pip install olefile
2. Download olefile.py and paste it to olydump.py folder
To use the tool, open command prompt and run the following syntax: oledump.py -h
PDFStreamDumper is a tool used for the analysis of malicious PDF documents. It has specialized tools for dealing with obfuscated JavaScript, low-level PDF headers and objects, and shellcode. In terms of shellcode analysis, it has an integrated interface for libemu sctest, an updated build of iDefense sclog, and a shellcode_2_exe feature.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
pdf-parser.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze [.]pdf file extensions. This tool will parse a PDF document to identify the fundamental elements used in the analyzed file.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
pdfid.py is a document forensic analysis tool developed by Didier Stevens and it is used to analyze [.]pdf file extensions. This tool scans a file to look for PDF keywords, allowing you to identify PDF documents that contain JavaScript or execute an action when opened.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
MalHost-Setup is the last tool we will discuss in the OfficeMalScanner toolkit and what it does is converts the document’s malicious offset into an executable to expedite the process of analysis.
In an incident, time is critical to the responder and it must have the skills and the right set tools to perform such action to be able to quickly timeline the attack.
DisView is bundled inside the OfficeMalScanner toolkit, it works by disassembling the code inside the malicious offset for further analysis.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
RTFScan is a document forensic analysis tool to analyze [.]rtf file extensions. The toolkit includes OfficeMalScanner, RTFScan, DisView and MalHost tools that aid the analyst in analyzing documents in relation to phishing incidents.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such action to be able to quickly timeline the attack.
OfficeMalScanner is a document analysis part of OfficeMalScanner toolkit that is developed by Frank Boldewin. It is used to analyze [.]doc file extensions. The toolkit includes RTFScan, DisView, MalHost-Setup that aid the analyst in investigating documents that are related to phishing.
In an incident, time is critical to the responder, and they must have the skills and the right tools to perform such an action to be able to quickly timeline the attack.
RTFScan is a document forensic analysis tool for [.]rtf documents, this tool is also included inside the OfficeMalScanner Toolkit. The toolkit includes OfficeMalScanner, RTFScan, DisView, MalHost executable that aids the analyst to analyze documents related to phishing incidents.
By running the sample doc into OfficeMalScanner with info option, it detects a different file format and points us to use RTFScan.
Running RTFScan inside the cmd prompt:
RTFScan <sample_doc> scan
This gives us more details about our sample including the signature found inside the malicious offset.
It detects FS:[30] inside the offset 0xd48 where this means it tries to accesses the PEB of the process and this gives an indication that this sample was then injected with a shellcode that later be used to exploit the user’s system.
Also, RTFScan detects the malicious index and any index that is above 10 is considered malicious and In this case RTFScan detects 30.
Let’s run again RTFScan on the same file but now with the scandebug option.
We can see that it debugs the malicious offset and presents us the code inside the address and from there you can understand what does the code trying to do.
It also dumps a file that can be later use for further analysis.
Tool Demo Summary:
In this lab we combine OfficeMalScanner and RTFScan to perform a document analysis on [.]rtf file and gives us a rich information about the malicious offset residing inside.
⚠️ YOU ARE TRYING TO DOWNLOAD A FILE THAT CONTAINS MALICIOUS EXECUTABLE ⚠️
eyehatemalwares is “PAY WHAT YOU CAN” project.
The zip file associated with this lab is password protected.
For hands-on experience, click the “Donate” button and you will be redirected to eyehatemalwares Paypal donation homepage or scan the QR Code below.
Acknowledgment These are the Terms of Service governing the use of this Service and the agreement that operates between You and the Company. These Terms of Service set out the rights and obligations of all users regarding the use of the Service. Your access to and use of the Service is conditioned on Your acceptance of and compliance with these Terms of Service. These Terms of Service apply to all visitors, users and others who access or use the Service. By accessing or using the Service You agree to be bound by these Terms of Service. If You disagree with any part of these Terms of Service then You may not access the Service. Your access to and use of the Service is also conditioned on Your acceptance of and compliance with the Privacy Policy of the Company. Our Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your personal information when You use the Application or the Website and tells You about Your privacy rights and how the law protects You. Please read Our Privacy Policy carefully before using Our Service. Copyright Policy We respect the intellectual property rights of others. It is Our policy to respond to any claim that Content posted on the Service infringes a copyright or other intellectual property infringement of any person. If You are a copyright owner, or authorized on behalf of one, and You believe that the copyrighted work has been copied in a way that constitutes copyright infringement that is taking place through the Service, You must submit Your notice in writing to the attention of our copyright agent via email [email protected] and include in Your notice a detailed description of the alleged infringement. Your Feedback to Us You assign all rights, title and interest in any Feedback You provide the Company. If for any reason such assignment is ineffective, You agree to grant the Company a non-exclusive, perpetual, irrevocable, royalty free, worldwide right and license to use, reproduce, disclose, sub-license, distribute, modify and exploit such Feedback without restriction.Links to Other Websites Our Service may contain links to third-party web sites or services that are not owned or controlled by the Company. The Company has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party web sites or services. You further acknowledge and agree that the Company shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any such content, goods or services available on or through any such web sites or services. We strongly advise You to read the terms and conditions and privacy policies of any third-party web sites or services that Y