Skip to content

litneet64/maldoc-analysis

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 

Repository files navigation

Docker Cloud Build Status Docker Cloud Automated build Docker Image Size (latest by date) GitHub

Maldoc Analysis

Dockerfile for maldoc analysis purposes.

Introduction

Contains all the major tools used for MS Office files' analysis:

  • ViperMonkey
  • OleDump + all plugins
  • YARA + yara-python
  • Those included in oletools:

Usage

$ podman run -it --rm -v ./my_ole_files:/playground/ole_files litneet64/maldoc-analysis

Inside the container, you can use the tools as:

analyst@4bd1ba63266d:/playground$ ./oledump.py ole_files/emotet.doc
1:       114 '\x01CompObj'
2:      4096 '\x05DocumentSummaryInformation'
3:      4096 '\x05SummaryInformation'
4:      7544 '1Table'
5:        97 'Macros/Get4ipjzmjfvp/\x01CompObj'
6:       296 'Macros/Get4ipjzmjfvp/\x03VBFrame'
7:       231 'Macros/Get4ipjzmjfvp/f'
8:       232 'Macros/Get4ipjzmjfvp/o'
9:       601 'Macros/PROJECT'
10:       134 'Macros/PROJECTwm'
11: M    1442 'Macros/VBA/Dw75ayd2hpcab6'
12: M   34177 'Macros/VBA/Get4ipjzmjfvp'
13: M    3452 'Macros/VBA/Rk3572j7tam4v8'
14:     11093 'Macros/VBA/_VBA_PROJECT'
15:       913 'Macros/VBA/dir'
16:    134771 'WordDocument'
analyst@4bd1ba63266d:/playground$
analyst@4bd1ba63266d:/playground$
analyst@4bd1ba63266d:/playground$ olevba ole_files/emotet.doc
.
. # stripped as output is too long
.
-------------------------------------------------------------------------------
VBA FORM Variable "Cn8r2cg8i626ztt" IN 'ole_files/emotet.doc' - OLE stream: u'Macros/Get4ipjzmjfvp'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
][(s)]wtu][(s)]w
+----------+--------------------+---------------------------------------------+
|Type      |Keyword             |Description                                  |
+----------+--------------------+---------------------------------------------+
|AutoExec  |Document_open       |Runs when the Word or Publisher document is  |
|          |                    |opened                                       |
|Suspicious|Create              |May execute file or a system command through |
|          |                    |WMI                                          |
|Suspicious|CreateObject        |May create an OLE object                     |
|Suspicious|ChrW                |May attempt to obfuscate specific strings    |
|          |                    |(use option --deobf to deobfuscate)          |
|Suspicious|Hex Strings         |Hex-encoded strings were detected, may be    |
|          |                    |used to obfuscate strings (option --decode to|
|          |                    |see all)                                     |
+----------+--------------------+---------------------------------------------+

Tips / Resources

This is not the only way for analyzing a maldoc, as most tools here are meant for static analysis (except for ViperMonkey). You can actually get more useful information to grasp what the macros are doing via dynamic analysis (AKA running the macros). A good way for doing this is using AnyRun's sandbox services.

More resources for usage of the tools mentioned above:

About

Dockerfile for static maldoc analysis purposes

Topics

dockerfile macros malware-analysis ole-files oletools maldoc

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

2 watching

Forks

1 fork
Report repository

Languages