OfficeMalScanner
From Aldeid
Contents |
Description
OfficeMalScanner analyzes MS Office files (PPT, DOC or XLS file).
Installation
Initially built for Windows, OfficeMalScanner can be run under Linux, using Wine.
$ cd /data/src/ $ wget http://www.reconstructer.org/code/OfficeMalScanner.zip $ unzip OfficeMalScanner.zip $ wine OfficeMalScanner.exe
Usage
Syntax
OfficeMalScanner <PPT, DOC or XLS file> <scan | info> <brute> <debug>
Options
- scan
- scan for several shellcode heuristics and encrypted PE-Files
- info
- dumps OLE structures, offsets+length and saves found VB-Macro code
- inflate
- decompresses Ms Office 2007 documents, e.g. docx, into a temp dir
Switches
(only enabled if option "scan" was selected)
- brute
- enables the "brute force mode" to find encrypted stuff
- debug
- prints out disassembly resp hexoutput if a heuristic was found
Examples
Clean document
$ wine OfficeMalScanner.exe f991afc68c4c65c69d1878e8d34eb787 info +------------------------------------------+ | OfficeMalScanner v0.53 | | Frank Boldewin / www.reconstructer.org | +------------------------------------------+ [*] INFO mode selected [*] Opening file f991afc68c4c65c69d1878e8d34eb787 [*] Filesize is 733184 (0xb3000) Bytes [*] Ms Office OLE2 Compound Format document detected ------------------------------------------------- [OLE Struct of: F991AFC68C4C65C69D1878E8D34EB787] ------------------------------------------------- Pictures [TYPE: Stream - OFFSET: 0x200 - LEN: 657132] CurrentUser [TYPE: Stream - OFFSET: 0xa9e80 - LEN: 53] SummaryInformation [TYPE: Stream - OFFSET: 0xa4000 - LEN: 21848] PowerPointDocument [TYPE: Stream - OFFSET: 0x9ee00 - LEN: 36197] DocumentSummaryInformation [TYPE: Stream - OFFSET: 0xa4000 - LEN: 1128] ----------------------- No VB-Macro code found!
Infected document
$ wine OfficeMalScanner.exe 0ab4a29af51b17335abbe0eb861784aa scan +------------------------------------------+ | OfficeMalScanner v0.53 | | Frank Boldewin / www.reconstructer.org | +------------------------------------------+ [*] SCAN mode selected [*] Opening file 0ab4a29af51b17335abbe0eb861784aa [*] Filesize is 236728 (0x39cb8) Bytes [*] Ms Office OLE2 Compound Format document detected [*] Scanning now... Embedded OLE signature found at offset: 0x366b8 Dumping Memory to disk as filename: 0ab4a29af51b17335abbe0eb861784aa__EMBEDDED_OLE__OFFSET=0x366b8.bin Analysis finished! ----------------------------------------------------------------------------- 0ab4a29af51b17335abbe0eb861784aa seems to be malicious! Malicious Index = 01 -----------------------------------------------------------------------------
