Office Documents

Created: 28.07.2022

File Structure

Macros

A letter m at the end of extension means that doc has some macros inside. Not always when there is some macros inside, the doc has a different extension.

oleid <docname> # see info about a file 
oleobj <docname>

oledump.py -s 3 --vbadecompresscorrupt report.docm

olevba <docname> # get the macro from the doc

Templates

Another way to get naughty for an office doc is to use remote templates. You can see many legit templates in Word GUI when you open the program (without opening any file). Open _rels folder, settings.xml.rels file, and check the Relationship tag and Target attribute. Check out the link to decide if this is malware. More here.

Metadata

Malicious Documents

You can use oletools (cross-platform) to investigate malicious documents. Office docs can also be manually unzipped with some unarchive and inspected. Alternatively, use oletools.

See more here.

References

Expand… Something here