Maldoc Analysis

Last modified: 2023-08-06


Malicious Documents (.doc) are Microsoft documents contain malicious execution code.

Static Analysis

Extract Files in Doc

unzip example.doc

Find Interesting Information

strings example.doc
exiftool example.doc
binwalk -e example.doc

Additionally, we can use CyberChef. Follow this steps:

  1. Open CyberChef
  2. Upload the suspicious doc file on CyberChef.
  3. Use the "Strings" function to extract strings.
  4. If you found obfuscated strings in the results, add the "Find / Replace" function to remove extra strings.
  5. If necessary, add the "Drop bytes" function to remove extra bytes.

Dump Macros

If you don’t have oletools, install it first.

# Install `oletools` module
python -m ven venv
source venv/bin/activate
pip install oletools

To dump macros, run the following command.

olevba -c example.doc