killchain-compendium/Forensics/OOXML.md

71 lines
1.6 KiB
Markdown
Raw Normal View History

# Open Office XML Format (OOXML) Forensics
Microsoft OOXML documents like docx, docm, xlsx and pptx consist of a bunch of
XML documents inside a zip file. Malicious content therein could be for example
links, exploits, embedded (hidden) objects or for the most part macros.
## Triage
### File Overview
Take a look at the file composition inside an OOXML zipped file via [decalage's oleid](https://github.com/decalage2/oletools.git) or [Marko Pontello's trid](https://www.mark0.net/soft-trid-e.html).
### Going deeper
Take a look at the header via `olemap`
```sh
olemap file.doc
```
Get the properties of streams in side via `olemeta`
```sh
olemeta.py file.doc
```
Check content inside a stream via `oledump`, especially macros
```sh
oledump.py -M file.doc
oledump.py file.doc -Ss <No. of stream>
oledump.py file.doc -Ss <No. of stream> -v
oledump.py -i file.doc
```
Check VBA scripts and malicious elements inside the document via `olevba`
```sh
olevba file.doc
olevba3 file.doc
```
Check file modification timestamps through `oletimes`
```sh
oletimes file.doc
```
### Vipermonkey VBA Emulation
>ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).
Emulate VBA scripts or macros via [decalage2's Vmonkey](https://github.com/decalage2/ViperMonkey.git)
```sh
vmonkey file.doc -o vmonkey-result.json
```
## scdbg
[scdbg repo](https://github.com/dzzie/SCDBG.git)
## Outlook
Outlook files like `.msg` can be read and changed to by
perl-email-outlook-message via
```sh
msgconvert *.msg
```