Document Analysis using OfficeMalScanner Toolkit
MalHost-Setup is the last tool we will discuss in document analysis, it is bundled together with OfficeMalScanner Toolkit and what it does it it converts the document’s malicious offset into a PE file to expedite the process of analysis.
We start running MalHost-Setup.exe inside the cmd prompt with the -h option
Now we run MalHost-Setup.exe inside the cmd prompt:
MalHost-Setup.exe <sample_doc> <new_exe_name> <mal_offset>
It then dumps a PE file inside the directory
For the sake of demo, let’s submit the file to VirusTotal[.]com for fast analysis. It is detected 52/70 AV vendor and recognized as Dropper and exploits CVE-2012-0158.