71 lines
1.6 KiB
Markdown
71 lines
1.6 KiB
Markdown
# Open Office XML Format (OOXML) Forensics
|
|
|
|
Microsoft OOXML documents like docx, docm, xlsx and pptx consist of a bunch of
|
|
XML documents inside a zip file. Malicious content therein could be for example
|
|
links, exploits, embedded (hidden) objects or for the most part macros.
|
|
|
|
## Triage
|
|
|
|
### File Overview
|
|
|
|
Take a look at the file composition inside an OOXML zipped file via [decalage's oleid](https://github.com/decalage2/oletools.git) or [Marko Pontello's trid](https://www.mark0.net/soft-trid-e.html).
|
|
|
|
### Going deeper
|
|
|
|
Take a look at the header via `olemap`
|
|
|
|
```sh
|
|
olemap file.doc
|
|
```
|
|
|
|
Get the properties of streams in side via `olemeta`
|
|
|
|
```sh
|
|
olemeta.py file.doc
|
|
```
|
|
|
|
Check content inside a stream via `oledump`, especially macros
|
|
|
|
```sh
|
|
oledump.py -M file.doc
|
|
oledump.py file.doc -Ss <No. of stream>
|
|
oledump.py file.doc -Ss <No. of stream> -v
|
|
oledump.py -i file.doc
|
|
```
|
|
|
|
Check VBA scripts and malicious elements inside the document via `olevba`
|
|
|
|
```sh
|
|
olevba file.doc
|
|
olevba3 file.doc
|
|
```
|
|
|
|
Check file modification timestamps through `oletimes`
|
|
|
|
```sh
|
|
oletimes file.doc
|
|
```
|
|
|
|
### Vipermonkey VBA Emulation
|
|
|
|
>ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).
|
|
|
|
Emulate VBA scripts or macros via [decalage2's Vmonkey](https://github.com/decalage2/ViperMonkey.git)
|
|
|
|
```sh
|
|
vmonkey file.doc -o vmonkey-result.json
|
|
```
|
|
|
|
## scdbg
|
|
|
|
[scdbg repo](https://github.com/dzzie/SCDBG.git)
|
|
|
|
## Outlook
|
|
|
|
Outlook files like `.msg` can be read and changed to by
|
|
perl-email-outlook-message via
|
|
|
|
```sh
|
|
msgconvert *.msg
|
|
```
|