Skip to content

tehsyntx/loffice

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 

Repository files navigation

loffice - Lazy Office Analyzer

Requirements:

Optional:

Loffice is making use of WinAppDbg to extract URLs' from Office documents but also VB-script and Javascript. By setting strategical breakpoints it's possible to neutralize obfuscation and get the URL and file destination. Anti-analysis via WMI, for example detecting running processes or installed software is handled by patching the query string before the query is run.

Loffice have three different exit-modes which determine if execution is to be aborted:

  • url - Exit when the first URL is found
  • proc - Exit if a new process is to be created
  • thread - Before resuming a suspended thread (RunPE style)
  • none - Do not interupt execution, URL and file information will still be printed.

It will also give an insight if there is any evasion/sandbox detection going on by checking string comparisons and logging everything to file located in the "logs" directory.

To make analysis as quick as possible macro should be enabled in Office otherwise you would have to manually enable macro for each analysis. After completed analysis the host application (ex. Word) will be terminated.

If you've got any suggestions/thoughts/comments, let me know!

About

Lazy Office Analyzer

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages