What is OfficeMalScanner – Microsoft Office Malware Scanner
“OfficeMalScanner”, Microsoft Office Malware Scanner, is yet another tool (and part of the OfficeMalScanner toolkit) for scanning Microsoft Office Document files for Malicious Macros (VBA) and embedded Portable Executable (PE) files. The tool is suitable for scanning files of Microsoft Word (*.doc, *.docx), Microsoft Excel (*.xls, *.xlsx) and Microsoft PowerPoint (*.ppt, *.pptx). The toolkit also includes “RTFScan” that is suitable for scanning for vulnerabilities of RTF structured documents, “MalHost-Setup” which isolates the PE shellcode from the regular Microsoft Office activity to make malware analysis easier and “DisView” that is great for disassembling the code in Office files.
Affiliate: Experience limitless no-code automation, streamline your workflows, and effortlessly transfer data between apps with Make.com.
In addition to the “OfficeMalScanner” tool, you can check our oledump python tool usage guide, our python oletools setup and usage guide and the script that can reveal hidden Excel Sheets ExcelSheetUnhide Powershell script usage and examples for more Microsoft Office Malware Analysis options.
“OfficeMalScanner” – Microsoft Malware Scanner – Usage
A note for any forensics tools is to use them in VM environment.
1. Download “OfficeMalScanner” latest version of the toolkit by Frank Boldewin.
*** The above is a direct link to the toolkit that is hosted on GitHub. You can also navigate to the OfficeMalScanner main page, but it seems that it wasn’t updated for some time. You can also check the OfficeMalScanner reconstructer.org GitHub page.
2. Extract the package from the archive.
3. Open Command Line and execute the “OfficeMalScanner”:
This will show you the help notes and some usage examples of each tool.
OfficeMalScanner and RTFScan Syntax Examples
There are different switches for Microsoft OLE 2 Compound Files (*.doc, *.xls, *.ppt) and Microsoft Office Open XML Format documents (*.docx, *.xlsx, *.pptx). The later are of the Microsoft Office 2007 and higher.
“scan” switch is part of the Microsoft OLE2 Compound Files (DOC, XLS, PPT) and scans for encrypted PE files and heuristic shellcodes. Syntax:
OfficeMalScanner.exe "C:\YourMalicious.xls" scan
For “scan” switch there are additional two switches available “brute” and “debug”. “brute” will try to brute force if there’s anything encrypted in your document and “debug” will output the disassembly hex code if heuristic to be found. Syntax:
OfficeMalScanner.exe "C:\YourMalicious.xls" scan brute OfficeMalScanner.exe "C:\YourMalicious.xls" scan debug
Or you can simply use them all together to save time:
OfficeMalScanner.exe "C:\YourMalicious.xls" scan brute debug
If there’s a malicious PE file inside the document it will be dumped to a BIN file and you will be shown exactly what it the path for this file. Later you can do more Malware Analysis on the BIN file. If the output is too big to be seen in the Command Line, you can pipe the output of the CMD into a text file:
OfficeMalScanner.exe "C:\YourMalicious.xls" scan brute debug > C:\ScannerOutput.txt
At the end of the “scan” execution you will be prompted if something malicious was found. Also, an advise to use the “info” switch as a complimentary solution to the OLE2 Compound Files. “info” switch dumps the OLE structures and extracts the VBA macro if present. It will show you where it was extracted in the end. Syntax:
OfficeMalScanner.exe "C:\YourMalicious.xls" info
If your file is newer Microsoft Open XML format (DOCX, XLSX, PPTX) then you need to use the “inflate” switch. Since newer document files are ZIP compressed XMLs and objects, “inflate” will decompress them to a temp folder and show a message if there’s a VBA *.bin file that you should check for possible VBA scripts. Off course you don’t have to use the “inflate” switch for this, you can simply extract the XLSX with 7zip anywhere you want and continuing from there. The difference from 7zip is that “inflate” highlights the possible Macro files. Syntax:
OfficeMalScanner.exe "C:\YourMalicious.xlsx" inflate
From the output I can understand that my XLSX document was decompressed into the folder:
And to be exact is:
And since it is an Excel file, the “vbaProject.bin” will be in “xl” folder. So, the full path to the VBA BIN file will be:
You can navigate there to check that it is really there and was extracted. Now, since this BIN file is not Microsoft Open XML format (it was extracted), we can try the “scan brute debug” switch on it and after that the “info” switch also:
OfficeMalScanner.exe "C:\Users\%USER%\AppData\Local\Temp\DecompressedMsOfficeDocument\xl\vbaProject.bin" scan brute debug OfficeMalScanner.exe "C:\Users\%USER%\AppData\Local\Temp\DecompressedMsOfficeDocument\xl\vbaProject.bin" info
After executing both, it should give us the macro that is stored in the “vbaProject.bin” file.
“RTFScan” uses less switches, but the usage is exactly the same as with “OfficeMalScanner”. The available switches are “scan” and “scan debug”. “debug” switch can be used with “scan” only. So, from the examples above it is best to use them both to save time:
RTFScan.exe "C:\YourMalicious.rtf" scan debug