Analyzing Malicious Documents Cheat Sheet

This cheat sheet outlines tips and tools for analyzing malicious documents, such as Microsoft Office, RTF, and PDF files. To print it, use the one-page PDF version; you can also edit the Word version to customize it for you own needs.

General Approach to Document Analysis

  1. Examine the document for anomalies, such as risky tags, scripts, and embedded artifacts.
  2. Locate embedded code, such as shellcode, macros, JavaScript, or other suspicious objects.
  3. Extract suspicious code or objects from the file.
  4. If relevant, deobfuscate and examine macros, JavaScript, or other embedded code.
  5. If relevant, emulate, disassemble and/or debug shellcode that you extracted from the document.
  6. Understand the next steps in the infection chain.

Microsoft Office Format Notes

  • Binary Microsoft Office document files (.doc, .xls, etc.) use the OLE2 (a.k.a. Structured Storage) format.
  • SRP streams in OLE2 documents sometimes store a cached version of earlier VBA macro code.
  • OOXML document files (.docx, .xlsm, etc.) supported by Microsoft Office are compressed zip archives.
  • VBA macros in OOXML documents are stored inside an OLE2 binary file, which is within the zip archive.
  • Excel supports XLM macros that are embedded as formulas in sheets without the OLE2 binary file.
  • RTF documents don't support macros but can contain malicious embedded files and objects.

Useful Microsoft Office File Analysis Commands

zipdump.py file.pptxExamine contents of OOXML file file.pptx.
zipdump.py file.pptx -s 3 -dExtract file with index 3from file.pptx to STDOUT.
olevba file.xlsmLocate and extract macros from file.xlsm.
oledump.py file.xls -iList all OLE2 streams present in file.xls.
oledump.py file.xls -s 3 -vExtract VBA source code from stream 3 in file.xls.
xmldump.py prettyFormat XML file supplied via STDIN for easier analysis.
oledump.py file.xls -p plugin_http_heuristicsFind obfuscated URLs in file.xls macros.
vmonkey file.docEmulate the execution of macros in file.doc to analyze them.
evilclippy -uu file.pptRemove the password prompt from macros in file.ppt.
msoffcrypto-tool infile.docm outfile.docm -pDecrypt outfile.docm using specified password to create outfile.docm.
pcodedmp file.docDisassemble VBA-stomped 
p-code macro from file.doc.
pcode2code file.docDecompile VBA-stomped 
p-code macro from file.doc.
rtfobj.py file.rtfExtract objects embedded into RTF file.rtf.
rtfdump.py file.rtfList groups and structure of RTF file file.rtf.
rtfdump.py file.rtf -OExamine objects in RTF file file.rtf.
rtfdump.py file.rtf -s 5 -H -dExtract hex contents from group in RTF file file.rtf.
xlmdeobfuscator --file file.xlsmDeobfuscate XLM (Excel 4) macros in file.xlsm.

Risky PDF Keywords

  • /OpenAction and /AA specify the script or action to run automatically.
  • /JavaScript, /JS, /AcroForm, and /XFA can specify JavaScript to run.
  • /URI accesses a resource by its URL, perhaps for phishing.
  • /SubmitForm and /GoToR can send data to URL.
  • /RichMedia can be used to embed Flash in a PDF.
  • /ObjStm can hide objects inside an object stream.
  • /XObject can embed an image for phishing.
  • Be mindful of obfuscation with hex codes, such as /JavaScript vs. /J#61vaScript. (See examples.)

Useful PDF File Analysis Commands

pdfid.py file.pdf -nDisplay risky keywords present in file file.pdf.
pdf-parser.py file.pdf -aShow stats about keywords. Add “-O” to include object streams.
pdf-parser.py file.pdf -o idDisplay contents of object id. Add “-d” to dump object’s stream.
pdf-parser.py file.pdf -r idDisplay objects that reference object id.
qpdf --password=pass --decrypt infile.pdf outfile.pdfDecrypt infile.pdf using password pass to create outfile.pdf.

Shellcode and Other Analysis Commands

xorsearch -W -d 3 file.binLocate shellcode patterns inside the binary file file.bin.
scdbgc /f file.binEmulate execution of shellcode in file.bin. Use “/off” to specify offset.
runsc32 -f file.bin-nExecute shellcode in file.bin to observe behavior in an isolated lab.
base64dump.py file.txtList Base64-encoded strings present in file file.txt.
numbers-to-string.py fileConvert numbers that represent characters in file to a string.

 Additional Document Analysis Tools

  • SpiderMonkeycscript, and box-js help deobfuscate JavaScript that you extract from document files.
  • Use the debugger built into Microsoft Office to deobfuscate macros in an isolated lab.
  • Use AMSIScriptContentRetrieval.ps1 to observe Microsoft Office execute macros in an isolated lab.
  • Some automated analysis sandboxes can analyze aspects of malicious document files.
  • REMnux distro includes many of the free document analysis tools mentioned above.

Post-Scriptum

Special thanks for feedback to Pedro Bueno and Didier Stevens. If you have suggestions for improving this cheat sheet, please let me know. Creative Commons v3 "Attribution" License for this cheat sheet version 4.1.

Updated July 22, 2021
Lenny Zeltser

Did you like this?

Follow me for more of the good stuff.

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more