Malicious Office Documents and OleDump
Office documents, such as those created using Microsoft Office (Word, Excel, PowerPoint), have unfortunately become a common vector for malware attacks. Macros, small pieces of code embedded in Office files, have historically been used for malware distribution. Unsuspecting users receive emails with enticing attachments (such as invoices or legal documents) that prompt them to enable macros. Once activated, the macros execute the attacker’s payload, allowing malware to compromise the system.
Today we will use some tools to analyze an Excel and Word document in an attempt to try to extract information about its functionality and malicious intent. I’m going to be playing with Oledump.py to display some of its functionality.
Oledump is a powerful Python tool designed to analyze OLE files. These files often contain streams of data and are used by various applications, including Microsoft Office files (such as `.doc`, `.xls`, and `.ppt`). Even the newer Microsoft Office Open XML (OOXML) format relies on OLE files for VBA macros.
When most people look at an Excel file, they perceive it as a single file, which, when decompressed, contains metadata about the file. To start digging in, one preliminary step we can take is to use the native unzip tool to decompress the file:
We see some interesting information along with a vbaproject.bin file within the xl directory.
Given the .bin extension, there are obviously raw bits in it. A BIN file is a generic data file that stores information entirely or partially in binary format. Performing a ‘cat’ command on the file gives us the raw bits, which usually appear as a bunch of gibberish with the exception of some strings we are able to make out:
We need a better tool to investigate this file, such as OleDump.py.
OLE (Object Linking and Embedding) is a technology that facilitates communication between software applications by allowing them to share data and functionality. It was developed by Microsoft and is commonly used in Windows-based systems. OLE enables embedding objects (such as charts, spreadsheets, or multimedia files) within documents (like Word or PowerPoint files) or linking to external files.
OLE (Object Linking and Embedding) technology, originally designed for legitimate purposes, has unfortunately become a vector for malware attacks. Here’s how it’s exploited:
1. Malicious Embedded Objects: OLE allows content creators to embed external resources (like files or executables) within documents. When a user activates an embedded object (e.g., by clicking an icon), it can inject malware onto their computer. These objects often masquerade as harmless content, making them difficult to detect.
2. Payload Concealment: Malware authors leverage OLE’s versatility to hide malicious code within seemingly benign files. Unlike macros (which often reach out to external servers for payloads), OLE malware contains the payload directly within the document. This all-in-one package makes it harder to detect and block.
Given its prevalence, organizations should consider disabling OLE and macros (via registry edits or group policies) to enhance security. Vigilance and awareness are crucial, especially since handling documents is a routine task for most users.
Back to this sample, we can use OleDump.py to dig around in an attempt to find out its functionality. To start, we will perform a basic dump of the file, which looks similar to our unzip dump.
OleDump will create its own index of these files; we can think of them as data streams. A3 looks particularly interesting as it has a capital M next to the index. This is OleDump telling us that there is a macro within this data stream that we should look at. We can examine this stream with the command below. In the screenshot, we see the stream has number three, so we will use the S option to specify stream 3 along with the file name.
remnux@remnux:~/Documents/tmp$ oledump.py -s 3 2024_Budget.xlsmSince this is a .BIN file, we will get a HEX dump. Immediately, we can already see a couple of strings that are of interest, mainly certutil, which is a known Living Off The Land Binary.
Living Off The Land Binaries (LOLBins) refer to legitimate system binaries or tools that attackers misuse for malicious purposes. Instead of introducing new malware, LOLBins leverage existing utilities available on the target system, making detection more challenging. These binaries are part of the operating system or commonly installed software, allowing attackers to evade security tools and blend in with normal system activity. Examples include PowerShell, Windows Management Instrumentation (WMI), and certutil. By repurposing these tools, attackers achieve their goals without raising immediate suspicion.
Since this is still messy, let’s edit the command and add a -s to dump the strings, which is similar to using FLOSS or strings against a binary.
remnux@remnux:~/Documents/tmp$ oledump.py -s 3 -S 2024_Budget.xlsmWe see what appears to be some base64 encoding, along with a command utilizing certutil to decode a .crt file and rename it as run.ps1.
Let’s see if we can recover the actual syntax of the macro itself. To do this, we will add --vbadecompresscorrupt to our command.
oledump.py -s 3 --vbadecompresscorrupt 2024_Budget.xlsmNow we have all the text from the embedded macro within this worksheet. We see the creation of an array of characters from which it builds strings. We also see a call to a domain to retrieve a file, which is written to disk as “encd.crt”. Finally, there’s a call to the shell object, which runs certutil to decode the “encd.crt” file and rename it to “run.ps1”. It then runs a version of PowerShell located at c:\Windows\SysWOW64\WindowsPowerShell\v1.0\ to execute the PowerShell script, which we can assume downloads additional malicious files.
Switching over to Word, we will be looking at two files with different extensions: .docm, which is a macro-enabled Word document, and .docx, which is a standard Word template.
Let’s start with a basic dump of the AnnualContract file:
Running oledump with the --vbadecompresscorrupt switch again, we see the same macro code as in the Excel document.
Moving on to the other document, many people believe that Word documents with the .docx extension are safe due to the difficulty of embedding macros into a template. Enter remote template injection.
Remote template injection is a technique where adversaries manipulate document templates to conceal malicious code or force authentication attempts. For instance, in Microsoft Office Open XML (OOXML) files, template properties may reference external resources fetched when the document loads. By injecting template references, attackers can execute payloads after the document opens. This method evades static detections and has been observed in the wild, even enabling forced authentication.
Extracting the .docx file, we see the structure below. We will navigate into the word > rels folder:
Not all files with the .docx extension are templated Word documents that use a remote template. However, for those that do, the settings for this template are stored in the directory under settings.xml.rels. Opening this file, we see the settings for this template.
At the end of the 3rd line, we see the target location from which it is retrieving the template. These templates are usually downloaded when the file is opened and stored in the custom Word templates folder. The workaround here is that this doesn’t have to be stored on the local file system.
It appears this is reaching out to a .dotm file, which is a document template file. So, when the .docx file is opened, it will pull down this .dotm file and run the malicious macro just as if it were within the .docx file.
To defend against malicious Office macros, companies can take several proactive steps:
1. Macro Security Settings: Configure strict macro security settings in Microsoft Office applications. By default, macros should be disabled, and users should only enable them for trusted documents. Educate employees about the risks associated with enabling macros.
2. Whitelisting: Maintain a whitelist of approved macros and digitally sign them. Block execution of unsigned macros. This ensures that only authorized macros run within the organization.
3. Behavioral Analysis: Use security tools that monitor macro behavior. Detect suspicious patterns, such as macros attempting to access sensitive files or making network requests. Behavioral analysis helps identify malicious activity.
4. User Training: Regularly train employees on safe practices when handling Office documents. Teach them to scrutinize attachments, avoid enabling macros from unknown sources, and report any suspicious activity.
5. Patch Management: Keep Office applications and operating systems up to date. Many vulnerabilities exploited by macros are patched in updates. Regularly apply security patches to minimize risk.
6. Network Segmentation: Isolate critical systems from less secure ones. Limit the impact of macro-based attacks by segmenting networks appropriately.
Remember that a layered defense strategy, combining technical controls, user awareness, and vigilant monitoring, is essential to mitigate the risks posed by malicious macros.
