Maldoc Analysis

Malicious Documents (.doc) are Microsoft documents contain malicious execution code.

Static Analysis

Extract Files in Doc

unzip example.doc

Find Interesting Information

strings example.doc
exiftool example.doc
binwalk -e example.doc

Additionally, we can use CyberChef. Follow this steps:

1. Open CyberChef
2. Upload the suspicious doc file on CyberChef.
3. Use the "Strings" function to extract strings.
4. If you found obfuscated strings in the results, add the "Find / Replace" function to remove extra strings.
5. If necessary, add the "Drop bytes" function to remove extra bytes.

Dump Macros

If you don’t have oletools, install it first.

# Install `oletools` module
python -m ven venv
source venv/bin/activate
pip install oletools

To dump macros, run the following command.

olevba -c example.doc