Malicious Office documents come in all type of flavors, sometimes very simple: they contain just an embedded file (for example an EXE), without any script or exploit to automatically launch the embedded file. The user is persuaded through social engineering to extract and execute the embedded file.
Analyzing such files in a sandbox will often not reveal the malicious payload, as the sandbox engine needs to recognize and open the embedded file.
Static analysis is simple however. Let width:1267px” />
If you want to practice this type of analysis, its easy to create your own samples: with Word, use command: Insert / Object / Object / Create from file …
Inserting object like this can result in other types of documents, which I will cover in an upcoming diary.
Didier Stevens
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.