Shulou(Shulou.com)06/01 Report--

Reference:

Tools: how to analyze malicious documents [http://www[.]4hou.com/technology/2634[.]html]

(2) oletools introduction of OLE document analysis tools

[http://ahageek[.]com/blog/oletools-introduce/]

(3) github oletools

[https://github[.]com/decalage2/oletools]

(4) an example of spam analysis

[http://blog[.]51cto[.]com/skytina/2051426]

(5) Analysis of doc files in malicious emails

[http://www[.]freebuf[.]com/articles/82814.html]

(6) use of oledump.py

[https://blog[.]didierstevens[.]com/2014/12/17/introducing-oledump-py/]

(7) tool set

[http://www[.]malware-analyzer[.]com/document-analysis-tools]

(8) use of officeMalScan

[https://www[.]aldeid[.]com/wiki/OfficeMalScanner/OfficeMalScanner]

Using the python environment

Some tools need to use the python2 version, so I installed the python2.7 and python3.5 versions on this machine.

Change python.exe to python2.exe in the python2.7 installation directory and write the path to the environment variable, so you can complete the switch. Don't forget to install pip [https://pypi[.]python[.]org/pypi/pip]

Failed to install pip

Install settools [https://pypi[.]python[.]org/pypi/setuptools]

Reinstall pip successfully

Similarly, we change pip.exe to pip2.exe and write to the environment variable

Two modified file names

Use the shortcut key ALT+F11 or click on the macro in the menu toolbar to edit the macro

two。 Use oledump

Install the module olefile

Pip install olefile

Download oledump

Use oledump

Use the-s option to select the module and view the data. I'll choose the seventh one here.

Then oledump-s 7 filename

The file needs to have the correct file suffix, otherwise the data will not be seen. I took it, too.

Use-v to convert the corresponding module to an vbs document

The specific macro function will not be looked at.

There are many other functions, please use-h to view learning.

3. Use officeMalscanner.exe to view macros

Use-h to view help documentation

Office can only be parsed in xml format. , suspend the use first.

Remember to use inflate to extract info and extract macros.

4. Use oletools

Download and install

Under the directory tools, use olevbapy

-c: only macro codes in word are displayed

-a: automatically analyze whether the word is suspicious

There are still many things available for oletools. Check it out in the catalog for yourself.

Sample:

(1) SHA256 41a84ee951ec7efa36dc16c70aaaf6b8e6d1bce8bd9002d0a b5236197eb3b32a

(2) md5: 370751889f591000daa40c400d0611f2

(3) WIN_019_11.doc, SHA256 6780af202bf7534fd7fcfc37aa57e5a998e188ca7d65e22c0ea658 c73fad36a2

(4) WIN_019_11.doc, SHA256 f36cb4c31ee6cbce90b5d879cd2a97bcfe23a38d37365196c25e 6ff6a9f8aaa6

Thank you for sharing and learning.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.