Since malicious Office documents became prevalent again by the end of 2014, and are still prevalent today, new analysis tools have been developed. These free, open-source analysis tools written in Python have the advantage of running on many operating systems.
In this lab, Didier Stevens has 28 exercises to get you familiarized with his tools and malicious Office documents.
First we cover the “old”, pre-Office 2007 file format used by Office. This binary file format is the OLE Compound file format. The first 4 exercises cover this file format for the different Office applications. This binary file format is still relevant today, not only because it is still widely used, but also because the new file format (Office 2007 and later) includes elements of this binary file format. Didier’s tool oledump.py is used to analyze these exercises.
Then we look at the new file format (Office 2007 and later), which is essentially composed of XML files contained in a ZIP archive. We then we look at simple examples with VBA code. oledump.py is used to extract the VBA code (no need to use Office).
After covering the 2 main file formats and their analysis, we can focus on malware and the VBA features it uses to compromise systems. 4 exercises illustrate the 2 main types of malicious documents encountered today: downloaders and droppers. To evade detection and thwart analysis, malware authors use obfuscations. We conduct the analysis of 3 exercises illustrating code obfuscation and 6 exercises illustrating string obfuscation. Finally, the lab covers less common file formats that malware authors masquerade as .doc files. An example is the MIME file format.
Didier’s free open-source tools oledump.py, zipdump.py, base64dump.py, emldump.py, … will be used in this lab, along with plugins for oledump.py. Attendees to this lab will be able to download the exercises and tools. USB sticks will also be available.
The lab can be done on Windows, OSX and Linux machines. Linux users should pre-install Python 2.7 with their package manager. Windows and OSX users can choose to install Python 2.7 at the start of the lab.