Handling of suspicious Office files

lucas1985 · Jun 18, 2007

SANS.org discussion

Some small tools can come in really useful if you want to avoid attaching a debugger to your Word session. Consider using your stock anti-virus.
Click to expand...

Another tool that is still useful is the regular hex-editor, or even strings. Seeing the MZ ‘magic’ and a stub executable, or even the UPX markers in a Word file is unusual:
Click to expand...
Code:
dhahran:/tmp# hexdump -C malicious.doc | grep "UPX" 
0103d0 55 50 58 30 00 00 00 00 00 20 12 00 00 10 00 00 |UPX0..... ......| 
0103f0 00 00 00 00 80 00 00 e0 55 50 58 31 00 00 00 00 |........UPX1....| 
010420 55 50 58 32 00 00 00 00 00 10 00 00 00 60 12 00 |UPX2.........`..| 
0105e0 55 50 58 21 0c 09 05 06 5c 5d 41 a8 32 6d b5 68 |UPX!....\]A.2m.h| 
Other useful tools have been released by Sourcefire and SecureWorks. SourceFire’s OfficeCat scans an Office file for the exploitation of a long list of known vulnerabilities.
Click to expand...

OfficeCat

OfficeCat is a command line utility that can be used to process Microsoft Office Documents for the presence of potential exploit conditions in the file.
Click to expand...
Code:
Vulnerabilities Checked by OfficeCat:

- CVE Entries:

CVE-2006-0001 
CVE-2006-1301 
CVE-2006-1306 
CVE-2006-1308 
CVE-2006-1540 
CVE-2006-2492 
CVE-2006-3014 
CVE-2006-3086 
CVE-2006-3431 
CVE-2006-3432 
CVE-2006-3493 
CVE-2006-3590 
CVE-2006-3656 
CVE-2006-3864 
CVE-2006-3865 
CVE-2006-3875 
CVE-2006-3876 
CVE-2006-3877 
CVE-2006-4534 
CVE-2006-4694 
CVE-2006-4700 
CVE-2006-4701 
CVE-2006-5994 
CVE-2006-5995 
CVE-2006-6456 
CVE-2006-6561 
CVE-2007-0027 
CVE-2007-0030 
CVE-2007-0031 
CVE-2007-0515 
CVE-2007-0671 

- Microsoft Advisories:

MS06-059 
MS06-062 
MS07-002 
MS07-014 
MS07-015 
Microsoft released a tool called STG, which can display the different structure components and their contents. This can prove valuable when you’re trying to identify malicious components.
Click to expand...

STG: MFC Docfile Viewer

The STG application demonstrates how to browse OLE Structured Storage Files (DocFiles) using an MFC application. The application uses the CTreeView class to visually represent the structured storage.
Click to expand...

FileAlyzer

Useful threads:
- Executable types and Malware
- Antivirus is DEAD!
- Preventing MSWord Exploits

Mrkvonic · Jun 19, 2007

Hello,
Nice one, cheers!
Mrk

lucas1985 · Jun 19, 2007

The final goal is to make a collection of tools/techniques/procedures which can help in determining the safety/legitimacy of a file without having programming/virus analyst skills.
Without this, what's the purpose of a security setup if somebody can't say (with enough certainty) if a file is harmful or not?

Mrkvonic · Jun 19, 2007

Don't forget the ultimate tool - Linux. Any decent file explorer - so to say - in a Linux distro, will correctly display file type, plus allow you very safe handling of Windows files, without any fear of getting infected or such. To say nothing of hexing.
Mrk

Log in or Sign up

Handling of suspicious Office files

lucas1985 Retired Moderator

Mrkvonic Linux Systems Expert

lucas1985 Retired Moderator

Mrkvonic Linux Systems Expert

Log in or Sign up

Handling of suspicious Office files

lucas1985 Retired Moderator

Mrkvonic Linux Systems Expert

lucas1985 Retired Moderator

Mrkvonic Linux Systems Expert

Useful Searches