Guest Blogger: Luca Garofalo

Today whether it is at work, in school or any other context we receive documents. They are very usefull they allow us to keep informations in a more organized way thanks to tables, images and text formatting. However some documents can contain malicious code that in most of the times the user dont even realize it. An example of it can be excel files, they are very useful for managments and data visualization but as everything digital there is a possibility that can be used as attack vector.

Example Scenario
Let’s picture a scenario: we recive a xlsx document or we have to download one. We are mostly inclined to click on it and trust the author but there are some parameters to control. This is how a modern excel file looks like opened in a text editor.

It looks a bunch of random characters however there is something interesting the PK letters at the beginning this is the magic bytes or more commonly named signature of a zip file, in fact all modern Office files such as docx,pptx,xlsx and many more are zip archives. This means that it may be more difficult to recognize if the file is malicious since we have to check a lots of different files and the risk of false positives is high and malicious code can be hidden everywere.
Methodology:
As we have seen before the risk of gathered false positives is high expecially if it tries to analyze all the files which will have a greater coverage but more risk of false flags. Now let’s analyze this excel file, it is also important to notice that this procedure is also valid for docx files and pptx files but each one of them have different names on the folders to look at. The first factor that we have to look is the presence of Macro and OleObjects.
Macro: Documents very rarely have macro inbuilt but even then some macro are completely harmless and used to automate tasks attackers often use it to distribute malware
OleObjects: They are more common than macros they are external objects created with other software linked to the document however they can contain malicious code and be a very powerfull attack vector
Analysis:
In this step we take a look at a sample of a malicious document for reference it is the same document that we have seen in the screenshot before. In this case we will use a file analyzer software.

File Type Recognition:
We take as an example file named Test.xls

After the analysis the file-extension results to be xlsx and not xls, however the Contain-Macros flag is True this means that it possibly contains executable code in it with this it’s not a normal xlsx file but an xlsm which is the correct extension to assign to this type of files.
docx → docm
pptx → pptm
xlsx → xlsm
Deep Analysis:
After having seen that the file contains macro and oleobject it is time to understand if there is anything that have been flagged. And the scan have flagged this file as possible malware.

The extension missmatch is something to consider since in some scenarios it is used to mask the file and avoid and it have been classified as Trojan-Downloader,Dropper,Spyware,Fileless Malware and Obfuscator and 4 files have been flagged.

Understanding the threat
After the analysis result we can see what is inside these 4 files. In order to understand how the file raw content looks it will be shown only on the vbaProject.bin (_original.txt). The explanation will be very basic and will take only the most important points of the behavior of the file.

These keywords are very interesting essentially with the command Auto_Open it will start a process without the user realizing it With WinHttp.WinHttpRequest this file is preparing a external request. 

Analyzing this piece of code found in the file Vbaproject.bin is an example of http request:

It starts with objHTTP that initialize the web request object than the ado variable iniatialize the filestream object (it allows to write data) after that a web request is created and the content of the web request is saved to a file.
oleObject1.bin

This output here we can see an interesting file path called Excel Exploit 1.19 and a function named ChangeFileName that is used to change the file name and then it is executed without the user consent and in the end it deletes a file named y.js
OleObject2.bin

The function tse64Decode decode the link to a normal string which result to be a ip address with a exe file saved as linkstring and the ase64Decode decode the filename saved as filestring.

The function HTxTPDownload download the file from the ip address and it rename it and after that malware after the download and renames it in C:\ProgramData\dhvgbubhfur.exe and then execute it.

OleObject3.bin

In the last file this rename a file from y to y.js and then execute it with cscript
Conclusion:
We have seen a document that claims to be legitimate and in reality it downloads malware and rename files without the user knowledge it is important to recognize this threats in order to protect personal data and files.

In this case the attacker have used various techniques for creating the malware such as obfuscation and encoding. Even if not an executable itself documents are still a very popular and underrated attack vector.