SANS Digital Forensics and Incident Response Blog: Tag - office

How to Extract Flash Objects From Malicious MS Office Documents

Authors of malicious Microsoft Office document can execute code on the victim's system using several techniques, including VB macros and exploits. Another approach, which has been growing in popularity, involves embedded Flash programs in the Office document. These Flash programs can download or directly incorporate additional malicious code without the victim's knowledge. This note demonstrates several steps for extracting malicious Flash objects from Microsoft Office document files, so you can analyze them. We take a brief look at using strings, Pyew, hachoir-subfile, and tools for this purpose. Continue reading How to Extract Flash Objects From Malicious MS Office Documents

Office 2007 Metadata

Metadata information from documents can be a great source of information for investigators and it's value has often been discussed before. Documents created using Microsoft Office often come up during investigations. There are several scripts and tools out there to read the proprietary binary format of Office documents created using Office 2003 and earlier versions so there is not more to add to those tools. Yet there aren't that many tools out there that can list the metadata information from the new format that Office 2007 uses, OpenXML. So I decided to examine it a bit further.

Microsoft has already published a good enough document describing the structure of OpenXML [1]. Essentially a document created in the OpenXML document format is a compressed file, using the well known ZIP


Application Metadata of Nested Documents

by John McCash

I was drawn to consider someting by a question on a certification practical exam I recently took. The problem had been presented as "find the specified text in the supplied disk image". However the text actually turned out to be viewable in a jpeg file which was nested inside a Word document. Once I'd found the text, the question was essentially answered, but then I started thinking about extraction options and the origins of that JPEG file.

I recalled a tool I'd recently discovered thanks to traffic on the GCFA mailing list, hachoir-subfile. The original email context was about using this tool to extract executable objects from PPS files, but it turns out that it works equally well to extract .jpg files. I had always assumed that when image files were incorporated into MS Office documents, they were somehow re-encoded,