According to Microsoft’s 2016 Threat Intelligence Report, 98% of Office-targeted threats use macros. So, shouldn’t we just focus our efforts on detecting threats that leverage macros? Of course not. Attackers will constantly innovate. Finding ways to bypass existing security solutions and making malware easy to execute are top of mind for an attacker. Exploits are a good way to achieve code execution, but for most attackers, they are too technical to implement and too expensive to buy. Less common filetypes provide delivery methods which are easy to use for the attacker, don’t require much action from the victim, and also evade detection.
If the filetype is not yet commonly used by malware in-the-wild, there is a good chance that security products have limited support for properly analyzing the filetype. Some rarely used Office file types and features can be leveraged for this purpose. In this blog post, we highlight techniques which use mostly forgotten features to deliver malware via Microsoft Office.
4 Techniques to Deliver Malware via Microsoft Office
Besides the usual VBA and exploit angle, Office supports file types which are mostly forgotten and would generally not be used in normal environments. If the file type is supported by Excel (for example, IQY, SLK), it will show up in Windows with a familiar Excel icon, reducing the likelihood the victim will get suspicious and more likely they will open the file. Once opened with Excel, abusing the DDE (Dynamic Data Exchange) protocol allows easy code execution if enabled on the victim’s machine.
Using Object Linking and Embedding (OLE) is a common technique for leveraging a file type natively supported by Windows to infect a user’s machine. It’s easier to get victims to open Word documents than executables directly. The problem for the attacker is that Office 2016 blocks execution of some file extensions by default. Security researcher Matt Nelson found a file type – SettingContent-ms – which is able to execute code but is missing from the blacklist implemented in Office, bypassing the OLE blocking feature.
Another way to abuse Office features is the well-known, but rarely used startup paths used by Word or Excel. If a supported file is placed in this folder, it gets automatically opened when the application is next started.
Now let’s take a look at four samples leveraging these delivery techniques.
IQY – Excel Web Query
View the VMRay Analyzer Report
SHA256: ca0da220f7691059b3174b2de14bd41ddb96bf3f02a2824b2b8c103215c7403c
Excel web queries are simple text files used to query content from the web into an Excel cell. The files contain a URL, and after the file is opened in Excel, the contents of the URL are downloaded to a workbook. From that point, easy code execution is possible with DDE.
The file type has been supported by Excel for more than a decade, but publicly available malware hasn’t used it until the end of May.
We published a report detailing a new campaign in early June:
IQY File Contents – MS Office Malware
Figure 1: Contents of the IQY file
When opening the file, Excel downloads 2.dat, and copies the file’s contents to a cell.
Figure 2: Excel downloading the next stage
Figure 3: Contents of the downloaded 2.dat file
The contents of 2.dat start with =cmd|. This is a DDE method used to simply get code execution. The string after the pipe is executed with cmd.exe, and will use PowerShell to download the next stage (1.dat). A warning pops up in Excel before executing the command.
Figure 4: Warning on Office 2016
Figure 5: Contents of the second stage, 1.dat
1.dat is a simple PowerShell downloader, which downloads and executes the FlawedAmmyy RAT.
Figure 6: Process graph of the IQY file downloading and executing FlawedAmmyy
SLK – Symbolic Link
View the VMRay Analyzer Report
SHA256: 3d479d661bdf4203f2dcdeaa932c3710ffb4a8edb6b0172a94659452d9c5c7f0
The SLK file format is designed for exchanging information between spreadsheets. Like IQY, it’s another format that has been supported by Office for more than 10 years and can be combined with DDE to get code execution in a simple way. Although the internals of the file are undocumented, an existing SLK file can easily be modified without understanding the format, and unofficial documentation attempts are available.
For an attacker, the only thing to do to achieve code execution is replace a cell in an SLK file with a dynamic expression, like one starting with “=cmd|”. The following sample (source) uses this technique to start wmic with an online XSL. The attacker could just download the payload here directly, but instead uses the “SquiblyTwo” technique by subTee, which leverages WMIC to get code execution.
Figure 7: SLK launching wmic with custom spreadsheet.
Figure 7: Process graph of the SLK launching WMIC
Startup Folders
View the VMRay Analyzer Report
SHA256: 83b0d7926fb2c5bc0708d9201043107e8709d77f2cd2fb5cb7693b2d930378d2
When Word or Excel are opened, they parse certain folders looking for files and open them by default. This feature is well-documented and is used by some organizations to open an often-used template by default.
The feature can also be used by malware as a persistence mechanism or a sandbox-evasion technique. The technique is to simply drop a file into one of these folders. This file won’t be opened until the related Office program is next started, which sandboxes probably won’t do in an automated way. A good write-up about Office startup paths is on Hexacorn’s blog.
The example sample (source) is an RTF file that exploits Word’s equation editor vulnerability (CVE-2017-11882) only to drop an XLS to the default Excel XLSTART folder with extension xlam.
Figure 8: YARA matches for the dropped XLS
The dropped XLS has obfuscated macros. When Excel is next started, it opens the dropped file, and executes the macros, finally dropping a DLL to the APPDATA folder and linking it to run when the system is started.
View the VMRay Analyzer Report for the dropped XLS.
Figure 9: Detection of the dropped XLS
Embedded SettingContent-ms
View the VMRay Analyzer Report
SHA256: 3c6a74d216e10e4ff158716cfa72984230995041c4bbb7596b8c8aaa461d76c5
Internally, the SettingContent-ms filetype is an XML, which has a tag called “Deeplink”. The deeplink can point to any runnable file, and when the file is opened, the pointed file will be executed.
The connection to Office is that when opening documents embedded in a document, Office can disable or warn against opening the embedded file if they are executable. This extension was missing from the blacklist of executable files, so it bypassed this security feature, meaning it was much easier to get code execution with Office documents. After the vulnerability was publicly disclosed, security researchers created test samples, many of which eventually ended up on VirusTotal. The method has also been used by malware in the wild, dropping LokiBot. Since then it has been used in widespread malware campaigns with the variation of embedding the file inside PDFs instead of DOC files.
The VMRay Analyzer detects the file:
Figure 10: VMRay Analyzer Detects the File
Conclusion
Attackers are constantly looking for new attack vectors. Using macros in Office documents is easy to detect, and exploits are less accessible because they require some skill to implement. Office does, however, provide many now unused and half-forgotten features which can be leveraged to create successful attacks. (Re)discovering these Office features requires effort and skill, but once a proof-of-concept is available, there is a window to create efficient attacks with very little skill.
VMRay Analyzer successfully analyzes and detects malware that uses these techniques. We proactively add support for new file types as they emerge, making the attacker’s window of opportunity as short as possible.
