{"id":286,"date":"2015-12-11T10:17:47","date_gmt":"2015-12-11T10:17:47","guid":{"rendered":"http:\/\/www.herbiez.com\/?p=286"},"modified":"2016-02-23T21:55:13","modified_gmt":"2016-02-23T21:55:13","slug":"damn-malicious-word-docs","status":"publish","type":"post","link":"https:\/\/www.herbiez.com\/?p=286","title":{"rendered":"Damn Malicious Word docs – Part 1"},"content":{"rendered":"

So the purpose of this post is because I could not remember how to extract the script from a malicious Word document. Damn old age and lack of coffee!<\/p>\n

Like anyone in a SOC role, you most likely get a lot of emails sent to you (or your distro) for odd\/weird\/humorous emails that people are not sure about. It is up to you and the team in the SOC to figure out if the email is malicious or not. So yesterday someone sent in an email from someone else saying that they would like to work for the company and that they sent over their resume. The email looked something like this:<\/p>\n

\r\n\tSender:\torinda_didonatis_1968@rambler.ru\r\n\tRecipient: \r\n\tFrom:\torinda_didonatis_1968@rambler.ru\r\n\tDate:\t10 Dec. 2015, 08:56:37\r\n\tSubject:\tJob\r\n\r\n\tHiya\r\n\tI saw your website and I'm very interested in applying for a job.\r\n\tPossibily even an unpaid internship.\r\n\r\n\tPlease see my resume.\r\n\r\n\tSincerely,\r\n\tOrinda Didonatis\r\n\t<\/pre>\n
The resume.doc file has the following characteristics:<\/p>\n
MD5: 3b4914287915f961ccc6e3b6eb2631c8
\nSHA256: 85e115ed733bc8543b4517a754cd7b8d74381f38d24e41cc25811f545a0d3c9a
\nFile size: 53KB
\nVirusTotal: http:\/\/www.virustotal.com\/en\/file\/85e115ed733bc8543b4517a754cd7b8d74381f38d24e41cc25811f545a0d3c9a\/analysis\/<\/a>
\nFirst Submission: 2015-12-10 16:22:19 UTC
\nDetection ratio: 4 \/ 55<\/p>\n
So we know that this is definitely a malicious doc. Now to what lead me to write this blog – remembering how to get the script out of the Word document. Please note that way smarter people have talked about this. An example of one of them can be found here via this Sans post<\/a>.<\/p>\n
The easiest way for me is to just extract the Word doc since it is kind of like an archive and tools like 7Zip can extract it out. Once you do that, you should be able to see all the different folders:<\/p>\n
\"Files<\/a>
Files extracted from the word document<\/p><\/div>\n
Now just browse to the folder called “word” and you should see the file called “vbaProject.bin.” From here fire up OfficeMalScanner and run the following command:<\/p>\n
\r\n\tC:\\Users\\Administrator\\Desktop\\Tools\\OfficeMalScanner&gt;OfficeMalScanner.exe  info<\/pre>\n
What you should see is the following:<\/p>\n
\"OfficeMalScanner<\/a>
OfficeMalScanner creating the script from the bin file<\/p><\/div>\n
Now that you have extracted out the script, you can start working on it, cleaning it up, and developing your IOCs and such. Since we have already blocked the callbacks from this malicious word doc, I will have to continue this blog post once I get home and can play with it in the lab at home. Till then. Enjoy!<\/p>\n","protected":false},"excerpt":{"rendered":"
So the purpose of this post is because I could not remember how to extract the script from a malicious Word document. Damn old age and lack of coffee! Like anyone in a SOC role, you most likely get a lot of emails sent to you (or your distro) for odd\/weird\/humorous emails that people are not sure about. It is up to you and the team in the SOC to figure out if the email is malicious or not. So yesterday someone sent in an email from someone else saying that they would like to work for the company and…<\/p>\n
 Continue reading<\/span><\/i><\/a> <\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-286","post","type-post","status-publish","format-standard","hentry","category-packet-analysis"],"_links":{"self":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/286","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=286"}],"version-history":[{"count":8,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/286\/revisions"}],"predecessor-version":[{"id":297,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=\/wp\/v2\/posts\/286\/revisions\/297"}],"wp:attachment":[{"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=286"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=286"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.herbiez.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=286"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}