OfficeMalScanner
Jump to navigation
Jump to search
Description
OfficeMalScanner is a MS Office forensic framework to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams.
It is composed of following tools:
| Name (click link for details) | Description |
|---|---|
| DisView | DisView is a disassembler. When using OfficeMalScanner with "scan debug", you may notice an interesting portion of code but it's truncated. DisView will display much more code to help you in the analysis. |
| MalHost-Setup | MalHost-Setup will dump an executable embedded in an Office document. You can identify the offset with OfficeMalScanner, using scan debug. |
| OfficeMalScanner | OfficeMalScanner is a MS Office forensic tool to scan for malicious traces, like shellcode heuristics, PE-files or embedded OLE streams. |
| RTFScan | RTFScan is a tool which has similar features as OfficeMalScanner but for RTF documents. |
Installation
- OfficeMalScanner can be downloaded from the official website: http://www.reconstructer.org/code/OfficeMalScanner.zip
- Uncompress in the directory of your choice (e.g. C:\tools\officemalscanner\)
Note
OfficeMalScanner is intended to be used from command line.