# office document analysis and exploitation

Any file with extension `.docm, .xlsm` etc is a macro embedded file

* [zeltser.com/analyzing-malicious-documents/](https://zeltser.com/analyzing-malicious-documents/)

## .xlsm

Using oletools, we can extract macro.

```bash
python3 -m pip3 install oletools
olevba FILE.xlsm
```

## .doc

Using Nishang Out-Word.ps1

**REQUIREMENT:**

* Needs payload
* Needs a Windows system to generate .doc
* [/samratashok/nishang/Out-Word.ps1](https://github.com/samratashok/nishang/blob/master/Client/Out-Word.ps1)
* NOTE: Need local MS Word installation. Need to disable Defender.

```bash
PS> . .\Out-Word.ps1
PS> Out-HTA -Payload "PS_ENCODED_PAYLOAD" -Outputfile FILLE.doc
# file will be saved in Documents
```

## Microsoft Exchange Email

* [dafthack/MailSniper](https://github.com/dafthack/MailSniper)

## MFA check

* [dafthack/MFASweep](https://github.com/dafthack/MFASweep)

## office365

* [blacklanternsecurity/TREVORspray](https://github.com/blacklanternsecurity/TREVORspray)

## OWA office webApp

* search on metasploit


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kashz.gitbook.io/kashz-jewels/tricks/office-document-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.