Category: Document Analysis

Document Analysis using OfficeMalScanner Toolkit

MalHost-Setup is the last tool we will discuss in document analysis, it is bundled together with OfficeMalScanner Toolkit and what it does it it converts the document’s malicious offset into a PE file to expedite the process of analysis.

We start running MalHost-Setup.exe inside the cmd prompt with the -h option

Now we run MalHost-Setup.exe inside the cmd prompt:

MalHost-Setup.exe <sample_doc> <new_exe_name> <mal_offset>

It then dumps a PE file inside the directory

For the sake of demo, let’s submit the file to VirusTotal[.]com for fast analysis. It is detected 52/70 AV vendor and recognized as Dropper and exploits CVE-2012-0158.

Document Analysis using OfficeMalScanner Toolkit

OfficeMalScanner is a document forensic analysis tool developed by Frank Boldewin that is use to analyze [.]doc file extension. The toolkit includes OfficeMalScanner, RTFScan, DisView, MalHost executable that aids the analyst to analyze documents related to phishing incidents.

Run inside the cmd prompt:

OfficeMalScanner.exe <suspicious_document> info

Running it again with scan debug option command we can see it detects assembly instruction inside our document which a good indicator that it is some part of some shellcode use to exploit the system.

Key indicators here are the offsets where OfficeMalScanner detects where the code resides.

offset: 0x10ed9

offset: 0x1db00

Opening the dumped file in NP++ we see some VB Script.

Tool Summary:

Phishing remain on the top of list where an adversary can and able to breach an organization, this tactic Is in form of sending a malicious document and applying psychology to trick the user to click the file.

In this lab, we discussed the use cases of the applying forensics in a document and how rich data can we extract just by performing the task as an analyst in our own organization.

Document Analysis using OfficeMalScanner Toolkit

DisView is a tool bundled inside the OfficeMalScanner Toolkit, it is used to disassemble the code inside the malicious offset that indicates further analysis.

Running DisView.exe inside the cmd prompt:

DisView.exe <sample_doc> <malicious_offset>

It seems we do not see the FS:[30] signature detected on offset 0xd48 but it disassembles the offset and presents us with this data.

Now, let’s use the DisView with the dumped file in performing RTFScan done from the previous demo.

Using DisView and the dumped OLE file we then disassemble the shellcode inside the file.

Tool Summary:

By using the DisView inside the toolkit and combining them together we then disassemble the malicious offset and see the code lies beneath it.