I found a sample that is a Word document with an embedded executable. I’ll explain how to extract the embedded executable with my tools.
First I check with file-magic.py:
The identification says Word 2007+, so this is an OOXML document. These are ZIP containers that can be analyzed with zipdump.py to take a look inside:
Stream 6 (oleObject1.bin) is an OLE object that embeds the executable. There’s no need to extract that OLE file from the OOXML container, oledump.py can handle this:
The O indicator for stream A2 tells us that this stream is the OLE data structure embedding the executable.
Selecting this stream and using option -i gives us info about the OLE contained, and the contained file:
This metadata gives you the names of the embedded file and it hashes, allowing me to look it up directly on VirusTotal, for example: 3d5fe12c0aa783252431834ed8e370102f47df65165680824b9287faa88e088a.
The file can also be extracted with option -e:
Malicious Word documents like these don’t execute the embedded file when the document is opened: that requires social engeneering to entice the use to double-click the embedded file.
Didier Stevens
Senior handler
blog.DidierStevens.com
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Discover more from Cyber GRC Hive
Subscribe to get the latest posts sent to your email.