office document analysis and exploitation

Any file with extension .docm, .xlsm etc is a macro embedded file

• zeltser.com/analyzing-malicious-documents/

.xlsm

Using oletools, we can extract macro.

python3 -m pip3 install oletools
olevba FILE.xlsm

.doc

Using Nishang Out-Word.ps1

REQUIREMENT:

• Needs payload

• Needs a Windows system to generate .doc

• /samratashok/nishang/Out-Word.ps1

• NOTE: Need local MS Word installation. Need to disable Defender.

PS> . .\Out-Word.ps1
PS> Out-HTA -Payload "PS_ENCODED_PAYLOAD" -Outputfile FILLE.doc
# file will be saved in Documents

Microsoft Exchange Email

• dafthack/MailSniper

MFA check

• dafthack/MFASweep

office365

• blacklanternsecurity/TREVORspray

OWA office webApp

• search on metasploit