Category: Document Analysis

Document Analysis using OfficeMalScanner Toolkit

RTFScan is a document forensic analysis tool for [.]rtf documents, this tool is also included inside the OfficeMalScanner Toolkit. The toolkit includes OfficeMalScanner, RTFScan, DisView, MalHost executable that aids the analyst to analyze documents related to phishing incidents.

By running the sample doc into OfficeMalScanner with info option, it detects a different file format and points us to use RTFScan.

Running RTFScan inside the cmd prompt:

RTFScan <sample_doc> scan

This gives us more details about our sample including the signature found inside the malicious offset.

It detects FS:[30] inside the offset 0xd48 where this means it tries to accesses the PEB of the process and this gives an indication that this sample was then injected with a shellcode that later be used to exploit the user’s system.

Also, RTFScan detects the malicious index and any index that is above 10 is considered malicious and In this case RTFScan detects 30.

Let’s run again RTFScan on the same file but now with the scan debug option.

We can see that it debugs the malicious offset and presents us the code inside the address and from there you can understand what does the code trying to do.

It also dumps a file that can be later use for further analysis.

Tool Demo Summary:

In this lab we combine OfficeMalScanner and RTFScan to perform a document analysis on [.]rtf file and gives us a rich information about the malicious offset residing inside.

Document Analysis using OfficeMalScanner Toolkit

MalHost-Setup is the last tool we will discuss in document analysis, it is bundled together with OfficeMalScanner Toolkit and what it does it it converts the document’s malicious offset into a PE file to expedite the process of analysis.

We start running MalHost-Setup.exe inside the cmd prompt with the -h option

Now we run MalHost-Setup.exe inside the cmd prompt:

MalHost-Setup.exe <sample_doc> <new_exe_name> <mal_offset>

It then dumps a PE file inside the directory

For the sake of demo, let’s submit the file to VirusTotal[.]com for fast analysis. It is detected 52/70 AV vendor and recognized as Dropper and exploits CVE-2012-0158.

Document Analysis using OfficeMalScanner Toolkit

OfficeMalScanner is a document forensic analysis tool developed by Frank Boldewin that is use to analyze [.]doc file extension. The toolkit includes OfficeMalScanner, RTFScan, DisView, MalHost executable that aids the analyst to analyze documents related to phishing incidents.

Run inside the cmd prompt:

OfficeMalScanner.exe <suspicious_document> info

Running it again with scan debug option command we can see it detects assembly instruction inside our document which a good indicator that it is some part of some shellcode use to exploit the system.

Key indicators here are the offsets where OfficeMalScanner detects where the code resides.

offset: 0x10ed9

offset: 0x1db00

Opening the dumped file in NP++ we see some VB Script.

Tool Summary:

Phishing remain on the top of list where an adversary can and able to breach an organization, this tactic Is in form of sending a malicious document and applying psychology to trick the user to click the file.

In this lab, we discussed the use cases of the applying forensics in a document and how rich data can we extract just by performing the task as an analyst in our own organization.

Document Analysis using OfficeMalScanner Toolkit

DisView is a tool bundled inside the OfficeMalScanner Toolkit, it is used to disassemble the code inside the malicious offset that indicates further analysis.

Running DisView.exe inside the cmd prompt:

DisView.exe <sample_doc> <malicious_offset>

It seems we do not see the FS:[30] signature detected on offset 0xd48 but it disassembles the offset and presents us with this data.

Now, let’s use the DisView with the dumped file in performing RTFScan done from the previous demo.

Using DisView and the dumped OLE file we then disassemble the shellcode inside the file.

Tool Summary:

By using the DisView inside the toolkit and combining them together we then disassemble the malicious offset and see the code lies beneath it.