Yesterday evening various people in my company received highly suspicious emails regarding a receipt ready for their signature. The email had a link to review the document.
The link led to download in all cases the same DOC file (all files had different names but the same hash).
My colleague then checked the hash on VT and found it was already there, detected by 8/60 AV engines. The detection names were already hinting this was something we had been expecting to get in the last few days: a macroless maldoc.
Since Sensepost researchers published 8 days ago a post about the abuse of the Dynamic Data Exchange (DDE) Microsoft technology to execute commands in MSWord without requiring macros, we knew we would get this sooner rather than later.
Didier Stevens published recently a post in NVISO Labs blog detailing a way to detect the use of DDE in MS Office documents with his tool Zipdump and with the help of YARA rules.
But we were not getting any results using his YARA rules, so I decided to perform an in-depth check of the document to find out why.
First I tried to get some details with Zipdump on the file:
The file does not appear to have anything suspicious at first view. But since I knew that DDE can be called from any normal XML file, I went to look for it first in the main “word/document.xml” subfile (object #5).
At first sight, all I saw was a big bunch unintelligible of XML tags. But at the end I also saw a couple of suspicious %TEMP% strings. So I copied the dump of object 5 in a text editor and started separating each suspicious string. I soon found out that the reason the DDE tag was not being detected by the YARA rule was that it had been separated by XML tags:
In order to not miss even a single space between XML tags, I built a regex that select (and afterwards remove) all XML tags, which would leave me with the code that had to be automatedly executed.
Putting the executable code together, I got the following powershell to download another payload:
I could not get the payload anymore, but it seems I will have to update the YARA rule to try to detect this kind of obfuscation.
Meanwhile, stay safe out there and be careful with these macroless malware.