From Collaborative RCE Tool Library

Jump to: navigation, search

OfficeMalScanner

Tool name: OfficeMalScanner
Rating: 0.0 (0 votes)
Author: Frank Boldewin                        
Website: http://www.reconstructer.org
Current version: v0.51
Last updated: February 5, 2010
Direct D/L link: Locally archived copy
License type: Free
Description: OfficeMalScanner v0.51 is a Ms Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. Found files are being extracted to disk. It supports disassembly and hexview as well as an easy brute force mode to detect encrypted files. Next to this, an office file is being scanned for VB-macro code and if found, it will be extracted for further analysis. The "inflate" feature extracts Ms Office 2007 documents into a directory and marks potentially malicious files. Also included in this package is a tool called MalHost-Setup, some kind of MS Office runtime emulation environment to debug shellcode in malicious documents in realtime.
Related URLs:
First Whitepaper:
http://www.reconstructer.org/papers/Analyzing%20MSOffice%20malware%20with%20OfficeMalScanner.zip
OfficeMalScanner Suite:
http://www.reconstructer.org/code/OfficeMalScanner.zip
Hack.lu 2009 Talk - Introducing new features in version 0.5:
http://archive.hack.lu/2009/New%20advances%20in%20Ms%20Office%20malware%20analysis.pdf


Screenshot:
Screenshot of OfficeMalScanner


RSS feed Feed containing all updates for this tool.

You are welcome to add your own useful notes about this tool, for others to see!



If you find that any information for the tool above is missing, outdated or incorrect, please edit it!
(please also edit it if you think it fits well in some additional category, since this can also be controlled)


Views
Category Navigation Tree
   Code Coverage Tools  (13)
   Code Ripping Tools  (2)
   Helper Tools  (3)
   Hex Editors  (13)
   Memory Patchers  (7)
   Packers  (20)
   Profiler Tools  (11)
   String Finders  (10)
   Tool Hiding Tools  (7)
   Tracers  (22)
   Needs New Category  (3)