Analyzing Malicious Word and Excel Documents

November 19th @ 17:00 - 21:00 (GMT +4) // HITB CommSec Track


Skill Level








Malicious office documents continue to be an effective tool for threat actors to compromise their victims and gain access to an organization’s network. While these documents have been around for a while, malware authors continue to find effective ways of abusing functionality to minimize their detection. This year alone we have seen a resurgence of such techniques through the use of Excel 4 Macros and other creative ways to bypass detection. In this workshop, we will get hands-on with the latest Office-based threats to understand how they work, how to detect them and identify indicators of compromise. You will learn the tools and techniques to extract macros, tackle obfuscation and debug the code. This workshop will take you deep into malicious office documents and the tools required to analyze them so that you can better defend your organization and it’s users.


  • Introduction to Lab VMs
  • Discuss Office Documents
  • Introduce tools and workflow

Lab: Analyzing an Emotet Dropper

  • Identifying obfuscation patterns
  • Using the Office IDE for debugging

Lab: Dynamic Analysis

  • Dissecting Excel documents
  • Working with Excel 4 macros
  • Identifying other methods of executing content

Lab: Reversing Excel-based Malware

  • Process hollowing
  • Other advanced techniques

Lab: Tracing Windows API and Extracting Shellcode

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on whatsapp


  • Learn the tools and skills needed to perform analysis on malicious office documents, such as the Office IDE, oledump, olevba, xlmdeobfuscator, sandboxes and more
  • Leverage static and dynamic tools to develop a hybrid approach for effectively analyzing malware, defeating obfuscation and identifying important indicators of compromise
  • Learn how to leverage network traffic to gain a deeper understanding of malware behavior


Security Researcher

Josh Stroschien

Josh is an experienced malware analyst and reverse engineer and has a passion for sharing his knowledge with others. He is an accomplished trainer, providing training in the aforementioned subject areas at BlackHat, DerbyCon, Toorcon, Hack-In-The-Box, Suricon, and other public and private venues.

Josh is an Assistant Professor of Cyber Security at Dakota State University where he teaches malware analysis and reverse engineering, He is also the Director of Training for OISF, an author on Pluralsight, and a threat researcher for Bromium/HP.

Ready To HACK?