File Structure
Macros
A letter m
at the end of extension means that doc has some macros inside. Not always when there is some macros inside, the doc has a different extension.
oleid <docname> # see info about a file
oleobj <docname>
oledump.py -s 3 --vbadecompresscorrupt report.docm
olevba <docname> # get the macro from the doc
Templates
Another way to get naughty for an office doc is to use remote templates. You can see many legit templates in Word GUI when you open the program (without opening any file). Open _rels
folder, settings.xml.rels
file, and check the Relationship
tag and Target
attribute. Check out the link to decide if this is malware. More here.
Metadata
Malicious Documents
You can use oletools
(cross-platform) to investigate malicious documents. Office docs can also be manually unzipped with some unarchive and inspected. Alternatively, use oletools
.
See more here.