# Open Office XML Format (OOXML) Forensics

Microsoft OOXML documents like docx, docm, xlsx and pptx consist of a bunch of
XML documents inside a zip file. Malicious content therein could be for example
links, exploits, embedded (hidden) objects or for the most part macros.

## Triage

### File Overview

Take a look at the file composition inside an OOXML zipped file via [decalage's oleid](https://github.com/decalage2/oletools.git) or [Marko Pontello's trid](https://www.mark0.net/soft-trid-e.html).

### Going deeper

Take a look at the header via `olemap`

```sh
olemap file.doc
```

Get the properties of streams in side via `olemeta`

```sh
olemeta.py file.doc
```

Check content inside a stream via `oledump`, especially macros

```sh
oledump.py -M file.doc
oledump.py file.doc  -Ss <No. of stream>
oledump.py file.doc  -Ss <No. of stream> -v
oledump.py -i file.doc
```

Check VBA scripts and malicious elements inside the document via `olevba`

```sh
olevba file.doc
olevba3 file.doc
```

Check file modification timestamps through `oletimes`

```sh
oletimes file.doc
```

### Vipermonkey VBA Emulation

>ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).

Emulate VBA scripts or macros via [decalage2's Vmonkey](https://github.com/decalage2/ViperMonkey.git)

```sh
vmonkey file.doc -o vmonkey-result.json
```

## scdbg

[scdbg repo](https://github.com/dzzie/SCDBG.git)

## Outlook

Outlook files like `.msg` can be read and changed to by
perl-email-outlook-message via

```sh
msgconvert *.msg
```