Didier Stevens

Tuesday 31 October 2017

Analyzing A Malicious Document Cleaned By Anti-Virus

Filed under: maldoc,Malware — Didier Stevens @ 0:00

@futex90 shared a sample with me detected by many anti-virus programs on VirusTotal but, according to oledump.py, without VBA macros:

I’ve seen this once before: this is a malicious document that has been cleaned by an anti-virus program. The macros have been disabled by orphaning the streams containing macros, just like when a file is deleted from a filesystem, it’s the index that is deleted but not the content. FYI: olevba will find macros.

Using the raw option, it’s possible to extract the macros:

I was able to find back the original malicious document: f52ea8f238e57e49bfae304bd656ad98 (this sample was analyzed by Talos).

The anti-virus that cleaned this file, just changed 13 bytes in total to orphan the macro streams and change the storage names:

This can be clearly seen using oledir:



  1. Nice article. But where to get diffdump.py from?

    Comment by Nick — Tuesday 31 October 2017 @ 14:55

  2. […] Analyzing A Malicious Document Cleaned By Anti-Virus […]

    Pingback by Overview of Content Published In October | Didier Stevens — Wednesday 1 November 2017 @ 0:00

  3. It’s a work in progress, if you want to take a look, it’s in my beta GitHub: https://github.com/DidierStevens/Beta

    Comment by Didier Stevens — Wednesday 1 November 2017 @ 19:57

  4. Thanks Didier. I was looking long time for such a tool!

    Comment by Nick — Thursday 2 November 2017 @ 5:23

  5. Radare2 can do diffing: http://radare.today/posts/binary-diffing/

    Comment by Didier Stevens — Friday 3 November 2017 @ 8:34

  6. […] This new version of oledump.py detects and analyses orphaned streams. More info on orphaned streams can be found in this blogpost. […]

    Pingback by Update: oledump.py Version 0.0.30 | Didier Stevens — Monday 6 November 2017 @ 0:00

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.