Thursday, April 2, 2015

Evolution of the macro enabled document (XML files and oledump-ception)

Looks like the miscreants have changed their tactics slightly, yet again.

I hope you're all familiar with the macro enabled document. If not, I analyzed one here:

They pretty much all followed the same typical pattern, almost to a T, for several months. Then they made a slight modification. At first it kind of mystified me, since while it made my job of analysis slightly more difficult, it should have made it more obvious even to the less technical of users that it was bad.

It made the analysis more difficult since it showed up as a straight XML file, not an OpenXML or any kind of Office doctype, so my automated tools (at the time,) wouldn't strip out the macros, and forced me to rely more on dynamic analysis. I'll discuss how that got fixed later...

So at first, all they did was change the file to an XML, with the macro embedded, and set <?mso-application progid="Word.Document"?> to make it launch word. Then it would show the "enable content" button as per usual, so on and so forth. You could easily see that it was macro enabled, however...