0
1
00:00:11,480 --> 00:00:14,360
So then start with oleid first.
1

2
00:00:14,540 --> 00:00:21,050
So the running of oletools is pretty much the same as we did with oledumb.
2

3
00:00:21,110 --> 00:00:25,530
They all run with python command. So just pass Python
3

4
00:00:30,610 --> 00:00:40,480
oleid.py.  just given the location of your malicious documents file.
4

5
00:00:40,520 --> 00:00:48,460
So once we press enter it gives us a lot of information about the document file.
5

6
00:00:48,490 --> 00:00:57,640
So oleid is a simple parser of a document file and it looks for a bunch of traits inside the
6

7
00:00:57,670 --> 00:00:58,930
document file.
7

8
00:00:58,930 --> 00:01:04,630
For example it checks whether the file is in ole format or not,  what's the application name on
8

9
00:01:04,630 --> 00:01:10,630
which it was build, weather it is encrypted or not, whether it contains any VBA macros or not whether
9

10
00:01:10,630 --> 00:01:12,030
there is an excel workbook.
10

11
00:01:12,040 --> 00:01:15,730
So this will happen when we analyze Excel sheet.
11

12
00:01:15,940 --> 00:01:18,780
Then there are options for PowerPoint as well.
12

13
00:01:18,820 --> 00:01:23,890
It also checks whether there is an object pool or whether there are flash objects which are embedded
13

14
00:01:23,890 --> 00:01:28,520
inside the document file or the ole file.
14

15
00:01:28,600 --> 00:01:33,490
So this information can be very helpful in taking our next steps.
15

16
00:01:33,490 --> 00:01:40,240
For example this says that the document file contains VBA macro so this can be of suspicion for us that
16

17
00:01:40,270 --> 00:01:46,400
the macro might contain something which can lead to a malware download on the system.
17

18
00:01:47,140 --> 00:01:52,210
So the next tool that we want to look at is olemeta. 
What it does is that it basically creates
18

19
00:01:52,930 --> 00:01:57,920
it basically gives you the meta information on the particular document for it.
19

20
00:01:58,090 --> 00:02:06,040
So what I mean by meta information is basically the data about your data. For example once you have
20

21
00:02:06,100 --> 00:02:09,420
a Doc File, what kind of meta formation can you get.
21

22
00:02:09,580 --> 00:02:15,650
You can get things like called Code page, title> is there any title that is associated with that document.
22

23
00:02:15,700 --> 00:02:17,830
Who is the author of that document.
23

24
00:02:18,130 --> 00:02:20,550
What template was used to create it.
24

25
00:02:20,560 --> 00:02:24,460
Who was the last person who edited or saved the document.
25

26
00:02:24,460 --> 00:02:26,230
How many times has it been revised.
26

27
00:02:26,230 --> 00:02:27,910
How many times has it been edited.
27

28
00:02:27,910 --> 00:02:29,460
When was it created.
28

29
00:02:29,710 --> 00:02:33,520
How many page numbers are there in that document.
29

30
00:02:33,520 --> 00:02:38,080
These are few informations which again require some special attention.
30

31
00:02:38,080 --> 00:02:40,180
For example number of pages.
31

32
00:02:40,180 --> 00:02:42,990
So it says that the document has only one page.
32

33
00:02:43,000 --> 00:02:50,140
So this again points to a suspicious activity but because usually, I'm not saying that it will always
33

34
00:02:50,140 --> 00:02:55,660
be the case but it usually malicious documents don't really contain too much off content.
34

35
00:02:55,660 --> 00:03:01,990
All they care about is having the macro embedded inside. The document will contain either a simple image
35

36
00:03:02,020 --> 00:03:09,910
or probably some in invoice kind of random information which should not go beyond like one or two pages.
36

37
00:03:10,150 --> 00:03:18,400
So having a lower number of pages inside the document is an indication that the document might be suspicious.
37

38
00:03:18,520 --> 00:03:24,100
In our case the number of words is zero which further increases our suspicion.
38

39
00:03:24,100 --> 00:03:25,690
It means that there are no words.
39

40
00:03:25,690 --> 00:03:28,440
There is simply no text inside the document.
40

41
00:03:28,460 --> 00:03:33,540
Then what's really important about that document that it will send through email when there is nothing inside
41

42
00:03:33,660 --> 00:03:34,140
it.
42

43
00:03:34,150 --> 00:03:40,060
So that's another indicator which is clearly pointing us in the direction that this file might be suspicious
43

44
00:03:41,150 --> 00:03:43,460
number characterises again zero.
44

45
00:03:43,900 --> 00:03:47,920
Further down there are no lines there are no paragraphs and nothing.
45

46
00:03:47,920 --> 00:03:55,840
So this is a very good way of kind of making a heuristic judgment inside your mind.
46

47
00:03:55,960 --> 00:03:57,630
This file can be bad.
47

48
00:03:57,650 --> 00:04:03,880
So this is how security analyst or security researchers operate. They look into these suspicious factors
48

49
00:04:04,220 --> 00:04:11,060
and just by statically looking at the file, even without opening it you're able to make a judgment that
49

50
00:04:11,060 --> 00:04:13,120
this file might contain something back.
50

51
00:04:15,110 --> 00:04:22,500
The next tool we want to talk about is Oledir which basically gives you the directory representation
51

52
00:04:23,730 --> 00:04:25,430
of the OLE file.
52

53
00:04:27,610 --> 00:04:35,130
And if you remember when we were discussing about the file format of Ole compound files, we talked about
53

54
00:04:35,160 --> 00:04:43,700
how OLE files are arranged in the form of a parent root storage that consists of streams and further storage
54

55
00:04:43,700 --> 00:04:48,720
Those storages are further divided into either streams or more storage.
55

56
00:04:48,930 --> 00:04:50,910
So this is what is represented here.
56

57
00:04:51,000 --> 00:04:58,680
If you see there is a root entry that consists of a bunch of streams and bunch of storage.
The storage
57

58
00:04:58,740 --> 00:05:04,870
is for macros and those storage in-turn contain a bunch of extra streams.
58

59
00:05:04,920 --> 00:05:12,930
Oledir basically gives us the directory presentation of the OLE file or the document
59

60
00:05:12,930 --> 00:05:16,070
file that we passed to it.
60

61
00:05:16,170 --> 00:05:21,150
Let's move on to another OLE tool called olemap.
61

62
00:05:24,550 --> 00:05:33,070
Olemap basically gives you a representation of the entire header or the entire information about
62

63
00:05:33,160 --> 00:05:35,640
the OLE file's internal structure.
63

64
00:05:35,890 --> 00:05:42,640
What it does is that it reads the hexadecimal characters of the OLE file and it tries to map it against
64

65
00:05:42,700 --> 00:05:44,040
its attributes.
65

66
00:05:44,200 --> 00:05:50,940
For example we again have the hexadecimal string here which I asked you to look probably few
66

67
00:05:50,970 --> 00:05:52,110
videos back.
67

68
00:05:52,120 --> 00:05:57,740
So this is basically the OLE file signature in hex format and there are headers and minor versions.
68

69
00:05:57,760 --> 00:06:00,720
Major versions,  bytes etc..
69

70
00:06:00,730 --> 00:06:05,440
So if you have followed the previous videos these things will make a lot more sense to you.
70

71
00:06:05,440 --> 00:06:10,750
You can really understand why these information are there and what exactly they mean and things like
71

72
00:06:10,750 --> 00:06:11,360
that.