I updated oledump to handle a new type of malicious document: an XML file, not with VBA macros, but with an embedded OLE object that is a VBS file.
And the man page is finished. Run oledump.py -m to view the man page.
The sample I’m using here is 078409755.doc (B28EF236D901A96CFEFF9A70562C9155). The extension is .doc, but it is an XML file, not an OLE file.
The XML file contains an OLE file with 1 stream.
Let’s take a look inside the stream:
Byte 0x78 could be the start of a ZLIB compressed data stream. Let’s checks this with option –decompress:
It is indeed ZLIB compressed, and the decompressed data seems to be another OLE file (D0 CF 11 E0).
So let’s pipe this decompressed OLE file into a second instance of oledump:
This OLE file contains an embedded object (Ole10Native). Let’s have a look:
It seems to be a .VBS file. Let’s have a look:
So this looks like VB Script with base64 strings. Let’s try to decode them with a plugin:
So now it’s clear what this maldoc does: launch PowerShell, download a file and store it as a .cab file in a temporary folder. Expand the downloaded .cab file to an .exe file, and then launch the .exe file. In other words, it is a downloader.