Occasionally, users ask me to take a look at a document (usually .docx or .pdf) that they are unsure of. It might be that the sender is someone known to them but they weren't expecting a report or an invoice, or perhaps they don't know the sender but the message seems legitimate. As a part of our security awareness campaigns, I have repeatedly encouraged them to ask. I'm glad they do.
Other times, it comes to my attention that a user has, or might have, opened a malicious attachment. In these cases also I need to find out what I'm dealing with. Is the document malicious? What does it do if you open it (and Enable Content)? Does it actually execute code or just link to a phishing site?
My favorite tool for analyzing these documents is https://www.hybrid-analysis.com. This site makes it very easy to figure out if a document is malicious, analyze its behavior, and identify potential indicators of compromise. The following is a quick walk-though the highlights some of the information that is provided when you analyze a document on the site.
