Tools: oledump.py, YARA.
NVISO blog post: Detecting DDE in MS Office documents
ISC diary entry: DDE and oledump
malware
tshark & Malware Analysis
Decoding a Payload Using a Dynamic XOR Key
Tool: XORSelection.1sc
Sample: 8f4654952833b7d7b7db02ca7cb6c2f6cb9c3c545dc51124b0f18588b3c4e1c0
Blog post: Update: XORSelection.1sc Version 6.0
If you want to skip the part explaining my script XORSelection, you can jump directly to the dynamic XOR-key explanation.
Doc & RTF Malicious Document
CyberChef: Analyzing OOXML Files for URLs
Tools: CyberChef
CyberChef Recipe: here
Sample: f84b3a056abcbcfd5976afe8776a35c5894b379e65c411ddc421941d3a2a4b8b
ISC diary entry: Doc & RTF Malicious Document
Maldoc Analysis With CyberChef
Tools: CyberChef
Sample: 969ff75448ea54feccc0d5f652e00172af8e1848352e9a5877d705fc97fa0238
ISC diary entry: Maldoc Analysis With CyberChef
Analyzing FireEye Maldocs
Tools: oledump.py, numbers-to-string.py
Sample: 41b70737fa8dda75d5e95c82699c2e9b
ISC diary entry: Analyzing FireEye Maldocs
Decrypting With translate.py
Tools: base64dump.py, translate.py
Blog post: Decrypting With translate.py
ISC diary entry: Decrypting PowerShell Payloads (video)
Example script: https://pastebin.com/QUGiWTHj
Cracking Maldoc VBA Project Passwords
Tools: oledump.py
Blog post: Cracking VBA Project Passwords
ISC Diary Entry: Cracking Maldoc VBA Project Passwords
YARA’s BASE64 Strings
ISC Diary Entry: YARA’s BASE64 Strings
