Document Analysis using OfficeMalScanner Toolkit
DisView is a tool bundled inside the OfficeMalScanner Toolkit, it is used to disassemble the code inside the malicious offset that indicates further analysis.
Running DisView.exe inside the cmd prompt:
DisView.exe <sample_doc> <malicious_offset>
It seems we do not see the FS:[30] signature detected on offset 0xd48 but it disassembles the offset and presents us with this data.
Now, let’s use the DisView with the dumped file in performing RTFScan done from the previous demo.
Using DisView and the dumped OLE file we then disassemble the shellcode inside the file.
Tool Summary:
By using the DisView inside the toolkit and combining them together we then disassemble the malicious offset and see the code lies beneath it.
