Getting Started with Malhost

Document Analysis using OfficeMalScanner Toolkit

MalHost-Setup is the last tool we will discuss in document analysis, it is bundled together with OfficeMalScanner Toolkit and what it does it it converts the document’s malicious offset into a PE file to expedite the process of analysis.

We start running MalHost-Setup.exe inside the cmd prompt with the -h option

Now we run MalHost-Setup.exe inside the cmd prompt:

MalHost-Setup.exe <sample_doc> <new_exe_name> <mal_offset>

It then dumps a PE file inside the directory

For the sake of demo, let’s submit the file to VirusTotal[.]com for fast analysis. It is detected 52/70 AV vendor and recognized as Dropper and exploits CVE-2012-0158.