Investigator Use
Scan Maldoc (scan.tylabs.com) is an online malware document analysis service that allows investigators and analysts to submit suspicious Office documents (Word, Excel, PowerPoint), PDFs, and other document formats for automated static and dynamic analysis to detect malicious macros, embedded exploits, and suspicious behaviors.
For OSINT investigators and incident responders, Scan Maldoc provides a rapid first-pass analysis of potentially malicious documents received during investigations — phishing attachments, documents found on compromised systems, or files downloaded from suspect URLs. The automated analysis extracts embedded macros, identifies suspicious API calls, flags known exploit patterns, and provides behavioral indicators without requiring local execution.
Malicious document analysis is a critical skill in phishing and spear-phishing investigations. Scan Maldoc's macro extraction capability surfaces the actual code embedded in Office documents, revealing command-and-control URLs, payload download locations, obfuscated code, and system commands. This intelligence is directly actionable for expanding the investigation to the discovered infrastructure.
For threat intelligence work, analyzing documents from targeted attack campaigns through Scan Maldoc can identify TTPs consistent with specific threat actor groups — characteristic macro code patterns, C2 infrastructure, and payload types that appear across campaigns from the same group.
The service's indicator extraction outputs — URLs, IP addresses, domain names, file hashes — can be fed directly into further OSINT workflows: domain reputation lookups, infrastructure analysis, passive DNS queries, and blockchain analysis if cryptocurrency addresses appear.
Privacy and operational security considerations: Submitting documents to cloud analysis services means the content is processed by a third-party system. Sensitive documents from live investigations should not be submitted to public services without authorization from the case authority. Instead, use offline tools like oletools, CAPE Sandbox, or Cuckoo Sandbox for sensitive document analysis.
Record the submission hash, analysis timestamp, and all extracted indicators in case documentation. Treat extracted C2 URLs and IPs as high-priority follow-up targets.
Before You Pivot
Record Context
Capture the target, search terms, and why this source is relevant before you leave the page.
Preserve Evidence
Archive volatile pages, save screenshots, and keep timestamps for anything that may change.
Corroborate
Treat one tool as a lead source. Confirm important findings with independent sources.
Related Tools
CVE
Cyber Threat OSINT
CVE provides standardized vulnerability identifiers and references used in security research, triage, and threat intelligence workflows.
CVE Details
Cyber Threat OSINT
CVE Details aggregates vulnerability records, CVSS scores, and affected software lists for security analysis and patch prioritization.
Default Passwords
Cyber Threat OSINT
Find default passwords and credentials for routers, printers, servers, and network devices for authorized security auditing.
Exploit DB
Cyber Threat OSINT
The Exploit Database archives public exploits and proof-of-concept code for known vulnerabilities, used in penetration testing and research.
Honey DB
Cyber Threat OSINT
HoneyDB aggregates honeypot sensor data to identify malicious IP addresses, attacker tactics, and emerging threat patterns.
Hybrid analysis
Cyber Threat OSINT
Hybrid Analysis provides free malware sandboxing with Falcon Sandbox technology to analyze suspicious files and URLs for threat intelligence.