Analyzing Malicious Documents Cheat Sheet

This cheat sheet outlines tips and tools for analyzing malicious documents, such as Microsoft Office, RTF, and PDF files. To print it, use the one-page PDF version; you can also edit the Word version to customize it for you own needs.

General Approach to Document Analysis

  1. Examine the document for anomalies, such as risky tags, scripts, and embedded artifacts.
  2. Locate embedded code, such as shellcode, macros, JavaScript, or other suspicious objects.
  3. Extract suspicious code or objects from the file.
  4. If relevant, deobfuscate and examine macros, JavaScript, or other embedded code.
  5. If relevant, emulate, disassemble and/or debug shellcode that you extracted from the document.
  6. Understand the next steps in the infection chain.

Microsoft Office Format Notes

  • Binary Microsoft Office document files (.doc, .xls, etc.) use the OLE2 (a.k.a. Structured Storage) format.
  • SRP streams in OLE2 documents sometimes store a cached version of earlier VBA macro code.
  • OOXML document files (.docx, .xlsm, etc.) supported by Microsoft Office are compressed zip archives.
  • VBA macros in OOXML documents are stored inside an OLE2 binary file, which is within the zip archive.
  • Excel supports XLM macros that are embedded as formulas in sheets without the OLE2 binary file.
  • RTF documents don't support macros but can contain malicious embedded files and objects.

Useful Microsoft Office File Analysis Commands

zipdump.py file.pptxExamine contents of OOXML file file.pptx.
zipdump.py file.pptx -s 3 -dExtract file with index 3from file.pptx to STDOUT.
olevba file.xlsmLocate and extract macros from file.xlsm.
oledump.py file.xls -iList all OLE2 streams present in file.xls.
oledump.py file.xls -s 3 -vExtract VBA source code from stream 3 in file.xls.
xmldump.py prettyFormat XML file supplied via STDIN for easier analysis.
oledump.py file.xls -p plugin_http_heuristicsFind obfuscated URLs in file.xls macros.
vmonkey file.docEmulate the execution of macros in file.doc to analyze them.
evilclippy -uu file.pptRemove the password prompt from macros in file.ppt.
msoffcrypto-tool infile.docm outfile.docm -pDecrypt outfile.docm using specified password to create outfile.docm.
pcodedmp file.docDisassemble VBA-stomped 
p-code macro from file.doc.
pcode2code file.docDecompile VBA-stomped 
p-code macro from file.doc.
rtfobj.py file.rtfExtract objects embedded into RTF file.rtf.
rtfdump.py file.rtfList groups and structure of RTF file file.rtf.
rtfdump.py file.rtf -OExamine objects in RTF file file.rtf.
rtfdump.py file.rtf -s 5 -H -dExtract hex contents from group in RTF file file.rtf.
xlmdeobfuscator --file file.xlsmDeobfuscate XLM (Excel 4) macros in file.xlsm.

Risky PDF Keywords

  • /OpenAction and /AA specify the script or action to run automatically.
  • /JavaScript, /JS, /AcroForm, and /XFA can specify JavaScript to run.
  • /URI accesses a resource by its URL, perhaps for phishing.
  • /SubmitForm and /GoToR can send data to URL.
  • /RichMedia can be used to embed Flash in a PDF.
  • /ObjStm can hide objects inside an object stream.
  • /XObject can embed an image for phishing.
  • Be mindful of obfuscation with hex codes, such as /JavaScript vs. /J#61vaScript. (See examples.)

Useful PDF File Analysis Commands

pdfid.py file.pdf -nDisplay risky keywords present in file file.pdf.
pdf-parser.py file.pdf -aShow stats about keywords. Add “-O” to include object streams.
pdf-parser.py file.pdf -o idDisplay contents of object id. Add “-d” to dump object’s stream.
pdf-parser.py file.pdf -r idDisplay objects that reference object id.
qpdf --password=pass --decrypt infile.pdf outfile.pdfDecrypt infile.pdf using password pass to create outfile.pdf.

Shellcode and Other Analysis Commands

xorsearch -W -d 3 file.binLocate shellcode patterns inside the binary file file.bin.
scdbgc /f file.binEmulate execution of shellcode in file.bin. Use “/off” to specify offset.
runsc32 -f file.bin-nExecute shellcode in file.bin to observe behavior in an isolated lab.
base64dump.py file.txtList Base64-encoded strings present in file file.txt.
numbers-to-string.py fileConvert numbers that represent characters in file to a string.

 Additional Document Analysis Tools

  • SpiderMonkeycscript, and box-js help deobfuscate JavaScript that you extract from document files.
  • Use the debugger built into Microsoft Office to deobfuscate macros in an isolated lab.
  • Use AMSIScriptContentRetrieval.ps1 to observe Microsoft Office execute macros in an isolated lab.
  • Some automated analysis sandboxes can analyze aspects of malicious document files.
  • REMnux distro includes many of the free document analysis tools mentioned above.

Post-Scriptum

Special thanks for feedback to Pedro Bueno and Didier Stevens. If you have suggestions for improving this cheat sheet, please let me know. Creative Commons v3 "Attribution" License for this cheat sheet version 4.1.

Updated

About the Author

Lenny Zeltser develops products and programs that use security to achieve business results. He is the CISO at Axonius and Faculty Fellow at SANS Institute. Lenny has been leading efforts to establish resilient security practices and solve hard security problems for over two decades. A respected author and practitioner, he has been advancing tradecraft and contributing to the community. His insights build upon real-world experience, a Computer Science degree from the University of Pennsylvania, and an MBA degree from MIT Sloan.

Learn more