Microsoft OffVis, Office Visualization Tool
OffVis, the Microsoft Office Visualization Tool, has been designed to visualize the binary file formats doc, xls or ppt. While it has been primarily created for IT professionals and security researchers, it can have its uses for less tech savvy or security interested Office users.
The software requires the Microsoft .net Framework 2.0, but has no other dependencies besides that. Users can launch the program by clicking on OffVis.exe after unpacking the download to a local directory.
First step in the analysis of Office documents is to load a supported file format from the File menu.
OffVis Office Visualization Tool
OffVis displays the raw file content on the left side. A parser can now be selected from the parser pull down menu to parse the document that has been loaded.
If you'd like to parse only at the OLESS layer, choose "Format Library.DLL: OLESSFormat". If you'd like to attempt to parse the file as an Excel, PowerPoint, or Word file, select one of those parsers.
Parsing results are displayed on the right side, selecting an element will highlight it on the raw file content side.
The interesting aspect of the software for all users is that it can detect malicious code. It will automatically display "definitely malicious" entries in the document, if any are found.
Office users can therefore use the Office Visualization Tool to analyze binary Office formats for malicious code before executing them on their system.
The program only detects known vulnerabilities that have been patched already. The following vulnerabilities are detected:
CVE-2006-0009, PowerPoint, MS06-012 (March 2006)
CVE-2006-0022, PowerPoint, MS06-028 (June 2006)
CVE-2006-2492, Word, MS06-027 (June 2006)
CVE-2006-3434, PowerPoint, MS06-062 (October 2006)
CVE-2006-3590, PowerPoint, MS06-048 (August 2006)
CVE-2006-4534, Word, MS06-060 (October 2006)
CVE-2006-4694, PowerPoint, MS06-058 (October 2006)
CVE-2006-5994, Word, MS07-014 (February 2007)
CVE-2006-6456, Word, MS07-014 (February 2007)
CVE-2007-0515, Word, MS07-014 (February 2007)
CVE-2007-0671, Excel, MS07-015 (February 2007)
CVE-2007-0870, Word, MS07-024 (May 2007)
CVE-2008-0081, Excel, MS08-014 (March 2008)
CVE-2008-4841, Word, MS09-010 (April 2009)
CVE-2009-0238, Excel, MS09-009 (April 2009)
CVE-2009-0556,PowerPoint, MS09-017 (May 2009)
It may even make sense to run the tool, even if all the security patches have been applied to the Office software. Why? Because it can provide valuable information about a sender or the origin of the document. The OffVis software is available via direct download from Microsoft.