top of page
Josh Stroschein
Feb 27, 20242 min read
Identifying UserForms with Oledump and Olevba
Malware authors often find creative ways to obfuscate and store their data and malicious office documents are no exception. One such...
431 views
Josh Stroschein
Feb 15, 20242 min read
OneNote Malware: Hidden Payloads in Page Versions
While the abuse of OneNote documents is nothing new, a recent document I investigated revealed multiple payloads through the page...
933 views
Josh Stroschein
Feb 11, 20242 min read
Anti-Analysis in JavaScript Executed by Windows Script Host (WSH)
Note: This blog was originally published on Feb 24, 2020 It’s common to see malicious office documents drop a JavaScript (JS) file to be...
47 views
Josh Stroschein
Feb 8, 20242 min read
Maldoc Uses Template Injection for Macro Execution
Note - this was originally published in May of 2020 I recently came across a handful of malicious office documents (maldocs) whose...
135 views
Josh Stroschein
Feb 11, 20211 min read
How-To: Installing Oledump in Windows
In this video, we’ll look into installing OLEDUMP in Microsoft Windows. Microsoft office documents are a common vehicle used by malware...
27 views
Josh Stroschein
Dec 2, 20201 min read
Emotet Maldoc Analysis – Embedded DLL and CertUtil for Base64 Decoding
On 11/10/2020, AnyRun posted an Emotet maldoc that utilized CertUtil to decode a DLL payload that was used for unpacking and running the...
23 views
Josh Stroschein
Apr 12, 20201 min read
Excel 4 Macros – Get.Workspace Reference
With the recent resurgence of the use of Excel 4 macros in malicious excel documents, I’ve found myself scouring the internet looking for...
12 views
Josh Stroschein
Apr 9, 20202 min read
Removing Passwords from VBA Projects
Occasionally I’ll encounter a maldoc that has a password-protected VBA project. While tools such as oledump may still extract the macros,...
20 views
Josh Stroschein
Mar 25, 20203 min read
Maldoc drops DLL and executes via ExecuteExcel4Macro
Behavioral information is a key indicator used to determine if an office document is malicious or not. I’ve recently seen a series of...
12 views
Josh Stroschein
Mar 18, 20205 min read
Maldoc uses Windows API to perform process hollowing
A favorite technique by malware authors is to use macros in their office documents to utilize a normal system executable and replace the...
31 views
Josh Stroschein
Mar 10, 20203 min read
Maldoc uses RC4 to hide PowerShell script, retrieves payload from DNS TXT record
Malware authors are constantly coming up with new and clever techniques to help avoid detection. In this maldoc, the authors employed...
30 views
Josh Stroschein
Feb 10, 20205 min read
Malware Analysis – Triaging Emotet (Fall 2019)
This is a summary of initial (triage) analysis of Emotet droppers and the associated network traffic from the fall of 2019. This write-up...
23 views
Josh Stroschein
Jul 15, 20193 min read
Anti-Analysis in an Office Document
Please note: This was a blog post I originally authored for Bromium. Due to changes in how they host their blog content, it has fallen...
7 views
Josh Stroschein
Jun 28, 20195 min read
Identifying a User Form in an Office Document
In this post, we will be looking into ways to identify and analyze the presence of a user form in an office document. As I discussed in a...
9 views
Josh Stroschein
Jun 4, 20198 min read
Analyzing Malicious Office Documents with OLEDUMP
Microsoft office documents are a common vehicle used by malware authors to deliver malware. These documents, used for malicious purposes,...
129 views
bottom of page