Tools for analysing malicious Microsoft office files

Tools for analysing malicious Microsoft office files

This blog post is focused on the tools for analysing malicious Microsoft Office documents.Below are the tools we can use for analyse malicious Microsoft Office files.

OfficeMalScanner is a free command-line tool for finding malicious code in Mircosoft Office documents.It locates shellcode, VBA macros, embedded PE files and OLE streams in Excel, world and power point documents and can decompress the newer format of Microsoft Office documents.

The Microsoft Office Visualization Tool (OffVis) is a tool from Microsoft that helps understanding the Microsoft Office binary file format in order to deconstruct .doc-, .xls- and .ppt-based targeted attacks.The unique, easy-to-use tool offers a comprehensive view of any Microsoft Office binary file format sample simply by hovering a cursor over it. The tool then graphically shows important data structures and records for Microsoft Office Word, Microsoft Office PowerPoint and Microsoft Office Excel. Users can then browse and click through each record.

Hachoir-urwid views and edits contents of binary Office file streams.hachoir-urwid is a binary file explorer based on Hachoir library to parse the files. Using this tool you can exactly know the meaning of each bit/byte of your files. With direction keys, you can navigate in the field tree.

DisView is a command line utility used for disassembling shellcode, starting at a specified offset

pyOLEScanner  is a python based script written by Giuseppe 'Evilcry' Bonfa and inspired from OfficeMalScanner. It scans Office documents to attempt to assess if they could be malicious.pyOLEScanner.py can examine and decode some aspects of malicious binary Office files.

MalHost extracts shellcode from a given offset in an MS Office file and embeds it an EXE file for further analysis. It is a part of OfficeMalScanner.MalHost-Setup is a tool used to “host” the shellcode embedded in a malicious file. Since Office files execute under the context of their associated Office program, once an exploit occurs, the shellcode runs under the context of that program. MalHost-Setup.exe creates a separate binary to host the embedded shellcode, which can streamline analysis of malicious code.

python-oletools is a package of python tools to analyze Microsoft OLE2 files (also called Structured Storage, Compound File Binary Format or Compound Document File Format), such as Microsoft Office documents or Outlook messages, mainly for malware analysis, forensics and debugging.