Basic Office maldoc analysis, (Mon, Jul 10th)

Malicious Office documents come in all type of flavors, sometimes very simple: they contain just an embedded file (for example an EXE), without any script or exploit to automatically launch the embedded file. The user is persuaded through social engineering to extract and execute the embedded file.

Analyzing such files in a sandbox will often not reveal the malicious payload, as the sandbox engine needs to recognize and open the embedded file.

Static analysis is simple however. Let width:1267px” />

If you want to practice this type of analysis, its easy to create your own samples: with Word, use command: Insert / Object / Object / Create from file …

Inserting object like this can result in other types of documents, which I will cover in an upcoming diary.

Didier Stevens
Microsoft MVP

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

No comments yet.

Leave a Reply

Please leave these two fields as-is:

Protected by Invisible Defender. Showed 403 to 1,055,638 bad guys.