Skip navigation.
Home

OfficeMalScanner released

OfficeMalScanner is a MS office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis.

http://www.reconstructer.org/code/OfficeMalScanner.zip

Enjoy!

Thanks for sharing this

Thanks for sharing this mate.

i was asked by some people,

i was asked by some people, why the scanner isn't scanning newer office 2007 files.

here is the answer:

the officemalscanner scans only the old OLE format, because the newer formats like docx. pptx, xlsx are nothing more than zipped XML files. and as the current exploits on office files are related to this old OLE binary format, i just support this currently.

the scanner checks for \xD0\xCF\x11\xE0\xA1\xB1\x1a\xE1 at the beginning of the file to detect the old format.

but if you can send me some reallife exploits stored as office 2007 XML files, i will think of an update! ;)

Great Tool! Thanks a lot!

Cheers! Have tested this against several samples and i think its working great. Thanks for sharing this.

i've recently updated my

i've recently updated my scanner to v0.42

www.reconstructer.org/code/OfficeMalScanner.zip

because of this powerpoint exploit, found in the wild:

md5sum: 3b4578ffa8cb2f5d416294f1f371a175

http://blog.trendmicro.com/air-france-flight-447-spam-arrives-with-powerpoint-exploit/

my scanner now dumps the found encrypted embedded OLE structure into a file.

OfficeMalScanner.exe \OfficeMal\apptom_c.PPT-1 scan brute

FS:[30h] (Method 1) signature found at offset: 0x506e
PUSH DWORD[]/CALL[] signature found at offset: 0x50ab
PUSH DWORD[]/CALL[] signature found at offset: 0x5137
PUSH DWORD[]/CALL[] signature found at offset: 0x518a
PUSH DWORD[]/CALL[] signature found at offset: 0x51c5
PUSH DWORD[]/CALL[] signature found at offset: 0x51d6
PUSH DWORD[]/CALL[] signature found at offset: 0x5250
PUSH DWORD[]/CALL[] signature found at offset: 0x528b
PUSH DWORD[]/CALL[] signature found at offset: 0x52bb
PUSH DWORD[]/CALL[] signature found at offset: 0x52c1
PUSH DWORD[]/CALL[] signature found at offset: 0x52cd

Brute-forcing for encrypted PE- and embedded OLE-files now...
XOR encrypted embedded OLE signature found at offset: 0x10b00 - encryption KEY:
0x85

Dumping Memory to disk as filename: apptom_c__memdump-XOR-KEY=0x85.dmp

---------------------------

now we can cut the dumped file: apptom_c__memdump-XOR-KEY=0x85.dmp from 0x0 to 0x10aff with an hexeditor, so that we have the typical OLE header at the beginning (D0 CF 11 E0 A1 B1 1A E1) and then saving the file.

afterwards we scan the adjusted dumped file again and get following results:

OfficeMalScanner.exe "\OfficeMal\apptom_c__memdump-XOR-Key=0x85.dmp" scan

API-Name GetTempPath string found at offset: 0x1d532
API-Name GetTempPath string found at offset: 0x2563e
API-Name GetWindowsDirectory string found at offset: 0x1d550
API-Name GetWindowsDirectory string found at offset: 0x25612
API-Name IsBadReadPtr string found at offset: 0x27e84
API-Name CreateFile string found at offset: 0x1d542
API-Name CreateFile string found at offset: 0x255c6
API-Name CloseHandle string found at offset: 0x1d488
API-Name CloseHandle string found at offset: 0x25556
API-Name ReadFile string found at offset: 0x2559a
API-Name WriteFile string found at offset: 0x1d526
API-Name WriteFile string found at offset: 0x255d4
API-Name SetFilePointer string found at offset: 0x1da62
API-Name SetFilePointer string found at offset: 0x255a6
API-Name VirtualAlloc string found at offset: 0x1d4f2
API-Name VirtualAlloc string found at offset: 0x1da74
API-Name VirtualAlloc string found at offset: 0x259b2
API-Name VirtualAlloc string found at offset: 0x27e68
API-Name GetProcAddr string found at offset: 0x1d504
API-Name GetProcAddr string found at offset: 0x25b48
API-Name GetProcAddr string found at offset: 0x27e58
API-Name LoadLibrary string found at offset: 0x1d516
API-Name LoadLibrary string found at offset: 0x2578a
API-Name LoadLibrary string found at offset: 0x27e48
Function prolog signature found at offset: 0x16c61
Function prolog signature found at offset: 0x16e58
Function prolog signature found at offset: 0x1748b
Function prolog signature found at offset: 0x176cb
Function prolog signature found at offset: 0x17914
Function prolog signature found at offset: 0x17abf
Function prolog signature found at offset: 0x17b2f
Function prolog signature found at offset: 0x17c3a
Function prolog signature found at offset: 0x17de3
Function prolog signature found at offset: 0x187c1
Function prolog signature found at offset: 0x1a055
Function prolog signature found at offset: 0x1a2e5
Function prolog signature found at offset: 0x1b76a
Function prolog signature found at offset: 0x22bdc
Function prolog signature found at offset: 0x2360a
unencrypted MZ/PE signature found at offset: 0x15c00
unencrypted MZ/PE signature found at offset: 0x1ddfc

as you can see, both embedded executables are being found now. :)

cheers,
frank

Nice work as usual Frank. :)

Nice work as usual Frank. :)

Thanks

Thank you for the information. I intend to give this a go as it sounds like it is working well for others. casino en ligne