1.6 KiB
Open Office XML Format (OOXML) Forensics
Microsoft OOXML documents like docx, docm, xlsx and pptx consist of a bunch of XML documents inside a zip file. Malicious content therein could be for example links, exploits, embedded (hidden) objects or for the most part macros.
Triage
File Overview
Take a look at the file composition inside an OOXML zipped file via decalage's oleid or Marko Pontello's trid.
Going deeper
Take a look at the header via olemap
olemap file.doc
Get the properties of streams in side via olemeta
olemeta.py file.doc
Check content inside a stream via oledump, especially macros
oledump.py -M file.doc
oledump.py file.doc -Ss <No. of stream>
oledump.py file.doc -Ss <No. of stream> -v
oledump.py -i file.doc
Check VBA scripts and malicious elements inside the document via olevba
olevba file.doc
olevba3 file.doc
Check file modification timestamps through oletimes
oletimes file.doc
Vipermonkey VBA Emulation
ViperMonkey is a VBA Emulation engine written in Python, designed to analyze and deobfuscate malicious VBA Macros contained in Microsoft Office files (Word, Excel, PowerPoint, Publisher, etc).
Emulate VBA scripts or macros via decalage2's Vmonkey
vmonkey file.doc -o vmonkey-result.json
scdbg
Outlook
Outlook files like .msg can be read and changed to by
perl-email-outlook-message via
msgconvert *.msg