Skip to content

formats_vs_techniques

Jump to bottom
decalage2 edited this page Feb 8, 2022 · 7 revisions

File formats, Techniques and Tools

This table shows the various techniques that can be used in malicious documents to trigger code execution, and the file formats in which they can be embedded. The last row suggests tools that can detect and analyse each technique.

Each technique is described below the table.

This is work in progress, not all combinations have been thoroughly tested.

File Format / Technique VBA Macros Excel 4 / XLM Macros DDE OLE Objects Package OLE Objects

Remote Template

(T1221)

 Remote OLE object customUI (remote macro)
Word 97-2003 (DOC) X - X X X X X ?
Word 2007+ (DOCX) - - X X X X X X
Word 2007+ macro-enabled (DOCM) X - X X X X X X
Excel 97-2003 (XLS) X X X X X ? X ?
Excel 2007+ (XLSX) - ? X X X ? X X
Excel 2007+ macro-enabled (XLSM) X X X X X ? X X

Excel 2007+ Binary

(XLSB)

 X X X X X ? X X
PowerPoint 97-2003 (PPT) X - ? X X ? X ?
PowerPoint 2007+ (PPTX) - - ? X X ? X X
PowerPoint 2007+ macro-enabled (PPTM) X - ? X X ? X X
RTF - - X X X X X ?
CSV - - X - - - - -
SLK - X X - - - - -
MHT (from Word) X ? ? X X ? ? ?
MHT (from Excel) ? ? ? ? ? ? ? ?
Word 2003 XML X - X X X ? ? ?
Word 2016 XML X - X X X ? ? ?
Excel 2003 XML ? ? ? ? ? ? ? ?
Publisher (PUB) X - ? X X ? ? ?
Visio (VSDX) X - ? ? ? ? ? ?
Tools

olevba

mraptor

ViperMonkey

oledump

olevba

oledump

XLMMacro Deobfuscator

 msodde

oleobj

rtfobj

oleobj

rtfobj

 oleobj oleobj oleobj

Techniques

VBA Macros

VBA (Visual Basic for Applications) is a programming language used to automate tasks in Microsoft Office applications since 1997. VBA macros may be embedded into Word documents, Excel spreadsheets, PowerPoint presentations, etc. A VBA macro can be triggered automatically when opening or closing a file (after clicking “Enable Content”), and it can execute any action on the system such as dropping a file, executing a command, calling any DLL or ActiveX object. In practice, a VBA macro is just as powerful as any EXE.

More info: https://decalage.info/en/bheu2019

In 2022, Microsoft plans to disable VBA macros in files coming from the Internet, starting with Office365: https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805

Excel 4 / XLM Macros

Excel 4 Macros offer similar functionality and risks as VBA macros, but the language and the engine are completely different. XLM Macros are composed of formulas in cells, and they only run on Excel.

Some references:

XLM Macros are disabled by default since July 2021: https://techcommunity.microsoft.com/t5/excel-blog/excel-4-0-xlm-macros-now-restricted-by-default-for-customer/ba-p/3057905

DDE

DDE (Dynamic Data Exchange) is a Microsoft protocol to enable data sharing between applications. In some applications such as Word and Excel, it has been found that it was possible to abuse DDE to launch any command. It is even possible to trigger code execution in Excel from a simple CSV file, by embedding specific formulas.

Some references:

The ability to launch arbitrary commands using DDE has been progressively disabled by default in Word (2017) and then Excel (2022): https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV170021

OLE Objects

OLE is a Microsoft protocol used to embed data from one application into a file from another application. For example, it can be used to embed an Excel chart into a Word document. In general, OLE objects cannot trigger the execution of arbitrary code or commands. However, in the past many vulnerabilities have been exploited thanks to OLE objects. For example, the vulnerability CVE-2017-11882 in the MS Equation Editor has been actively exploited by embedding malformed Equation OLE objects into Word and RTF documents.

OLE Package objects

TODO

Remote Template

TODO (T1221)

Remote OLE object

TODO

customUI (remote macro)

TODO

Clone this wiki locally