I was working on analyzing an infected .doc file and found a reference to an analysis tool called OfficeMalScanner during my research. The website for this software is reconstructer.org/ This tool is for Windows only.
The first thing I notice is that the site doesn’t have a valid certificate. The certificate expired in 2016 and the site hasn’t been updated since then.
I downloaded the zip anyway. Upon transferring the zip file to the Windows test machine, Windows Defender flagged a file inside the zip as infected and deleted the zip. After disabling Defender I was able to transfer.
There’s not much to this tool and its operation is simple. Open a command prompt, change paths to the extracted folder, and run the executable:
>officemalscanner.exe info.doc info
+------------------------------------------+
| OfficeMalScanner v0.62 |
| Frank Boldewin / www.reconstructer.org |
+------------------------------------------+
[*] INFO mode selected
[*] Opening file info.doc
[*] Filesize is 70656 (0x11400) Bytes
[*] Ms Office OLE2 Compound Format document detected
[*] Format type Winword
-----------------------------------
[Scanning for VB-code in INFO.DOC]
-----------------------------------
qnpdfbmqszl
ThisDocument
----------------------------------------------------------------------------
VB-MACRO CODE WAS FOUND INSIDE THIS FILE!
The decompressed Macro code was stored here:
------> \INFO.DOC-Macros
----------------------------------------------------------------------------We see that there are two streams with macro code. OfficeMalScanner has kindly extracted that code and placed it into text files for us. You can find those text files in the OfficeMalScanner folder.
That’s it! No further analysis can be done with this tool. After going through this process, I can’t recommend this software.
The non-https site for reconstructer.org is the first red flag. There is no hash for the download either, so you really have no idea what you’re getting. The downloaded zip set off Windows Defender which doesn’t mean everything, but it is another red flag.
OfficeMalScanner is very basic. It managed to extract the macro code for me in the above example but it can’t do anything else. I can’t see any reason to use OfficeMalScanner unless you can’t access anything but a Windows system.