Home

Awesome

loffice - Lazy Office Analyzer

Requirements:

Optional:

Loffice is making use of WinAppDbg to extract URLs' from Office documents but also VB-script and Javascript. By setting strategical breakpoints it's possible to neutralize obfuscation and get the URL and file destination. Anti-analysis via WMI, for example detecting running processes or installed software is handled by patching the query string before the query is run.

Loffice have three different exit-modes which determine if execution is to be aborted:

It will also give an insight if there is any evasion/sandbox detection going on by checking string comparisons and logging everything to file located in the "logs" directory.

To make analysis as quick as possible macro should be enabled in Office otherwise you would have to manually enable macro for each analysis. After completed analysis the host application (ex. Word) will be terminated.

If you've got any suggestions/thoughts/comments, let me know!