Viper Modules - Office

This follows on from the post detailing the basic usage of viper. If you have not read that post I would start there.

An index of all the modules can be found here.

Office

The office module is designed to extract meta data and stream information from a variety of office formats. As before this will showcase the analysis features of Viper with Office docs.

Viper is capable of reading most Office Types. This includes OLE and Open Office formats as well as the new talked about XML MSO and MHT file formats.

As with all modules the help file will show us all the available options.

office_help

MetaData -m

Lists Document information like author, pages, words, edit times etc.

office_meta

OLE Information -o

This works on the old OLE Format and will identify components of the OLE.

office_ole

Streams -s

This command will look at all the objects stored inside the Office document. It will process both office 03 formats and newer office 07 + formats.

office_streams

Export -e /path/to/save

This command will extract and save all the streams to directory of your choosing.

office_export

VBA / Macro Analysis -v

This command will read any macro code that is included in the document and provide some analytical details.

office_vba

VBA Code Export -c /path/to/file.ext

This command will produce an output identical to the VBA command but will also output a copy of the extracted Macro code to your named file. It is important to note that this extraction will work even if the document has passwords set to restrict viewing.

That’s all for this module. It is currently being updated to work with the ‘New’ xml and Mime mso types that are being used by Dridex.

As usual Questions, Queries, Comments below.

 

 

Comments