Can Document Files Be Trusted?

How a Single File Can Compromise Your Organization

In today’s era, there are a variety of threats in the cyber landscape but one of the biggest threats out there mostly and initially starts from a rogue email that is attached with a malicious document file. Most people fall into such traps due to a lack of awareness and lack of proper email protection solutions.

TRIOX Security

There are several file formats that can be weaponized as a first stage of the attack and infiltrate the organization through the emails. In a lot of cases, the weaponized file will be based on a doc, docx, docm, xls or xlsm file formats. In this article, we will explain what is a downloader, what is a Macros (specifically VBA) and in addition, we will present an investigation of a malicious MS-word file to strengthen the understanding and awareness of such threats.


Prologue – Macros as a Malicious Service

Macros are a way of automating certain tasks such as data calculations, data formatting, and much more. Looks very legit right? Not so fast. In reality, an attacker can abuse Macros to execute system commands, download malicious files, and even deobfuscate itself in runtime. Specifically speaking, when we refer to macros in the Microsoft Office suite (e.g. Word, Excel) we refer to VBA based Macros. Let us dissect some downloader.


What is a Downloader

In a practical and simple language, a downloader is a file that is initially executed on a target (e.g. victim) system, mainly with the interaction of the user, after double clicking the malicious file, it downloads and executes the next stages of the malware. A great example of malware that is based on this kind of attack vector is banker malware such as Emotet and Ursnif. In fact, such malware is not exploiting only the email vector, but we will stick to the email attack vector for the sake of the article.


Brief Technical Analysis

We decided to do a brief analysis of a simple downloader that we found in VirusTotal. Let’s start with basic threat intelligence.

Below you can see a high detection rate of our specimen dubbed as DDqFM.docm:

TRIOX Security


And an interesting domain name, hxxp:// that we will try to cross-reference in the VBA of the malicious word document file:

TRIOX Security


With a simple WHOIS search, we can understand that the attackers that crafted this malicious document used a free Dynamic DNS service dubbed as (funny name for such service). Below is a screenshot of the Dynamic DNS service provider:

TRIOX Security

Enough with threat intelligence, let’s dig into the file.

First of all, we’re going to validate the file based on its file format magic value:

TRIOX Security

As we can see, the file header starts with the magic value of PK (0x504B0304) that indicates that the specimen file is a compressed Word document (docm) file.

Furthermore, when we open the file with a ZIP-like file explorer like 7-ZIP, we can view the inner file structure. Below we can see that there is two VBA streams that indicates that there is a use of Macros-VBA, vbaProject.bin and vbaData.xml:

TRIOX Security

At this point, we will extract the relevant malicious VBA code. First, we need to get the index of the relevant malicious code streams so we extract it and further analyze it, below you can see that we used to dump the index list:

TRIOX Security

Here we can notice that the index of streams A3 and A4 are marked with the ‘M’ flag indicating Macro code that is executed when the document file gets double-clicked by the victim.

Next, we dump the A3 and A4 data streams as can be seen below:

TRIOX Security

Now we have two files, we will analyze the A3.bin file because it has the main malicious functionality of the downloader.

Below is a subroutine that tries to disable MS-Word from alerting a usage of Macro code. This is done with the help of manipulating two registry values, one for Excel the other for MS-Word:

TRIOX Security


Then, there is a call to a function named as MPS. Below is a screenshot of the MPS subroutine:

TRIOX Security

The above subroutine basically attempts to execute the next stage of the malware that of course, we will not discuss for the sake of this article. If the attempted file does not exist under the desired downloaded path (A.K.A. %temp%), the downloader attempts to download the next stage file dubbed as “cache1.exe” by calling the next subroutine named as FDW. Below is a screenshot of the FDW subroutine:

TRIOX Security

The subroutine attempts to download the stage of the attack, the “cache1.exe” executable file with a simple HTTP-GET request method from hxxp:// domain and save it under the %temp% path.


Epilogue – This is Not The End

In this article, we briefly explained and analyzed a malicious Macro-VBA based downloader. As we understood, such malicious payloads mainly infiltrate our organizations through emails. We recommend you to test your organization against such attacks.

Ask us about our security awareness services, tailored phishing campaigns, and security readiness services to defend your organizations against next-generation threats: