-
Notifications
You must be signed in to change notification settings - Fork 595
formats_vs_techniques
This table shows the various attack techniques that can be used in malicious documents to trigger code execution, and the file formats in which they can be embedded. The last row suggests tools that can detect and analyse each technique.
Each technique is described below the table.
This is work in progress, not all combinations have been thoroughly tested.
| File Format / Technique | VBA Macros | Excel 4 / XLM Macros | DDE | OLE Objects | Package OLE Objects |
Remote Template (T1221) |
Remote OLE object | customUI (remote macro) |
|---|---|---|---|---|---|---|---|---|
| Word 97-2003 (DOC) | X | - | X | X | X | X | X | ? |
| Word 2007+ (DOCX) | - | - | X | X | X | X | X | X |
| Word 2007+ macro-enabled (DOCM) | X | - | X | X | X | X | X | X |
| Excel 97-2003 (XLS) | X | X | X | X | X | ? | X | ? |
| Excel 2007+ (XLSX) | - | ? | X | X | X | ? | X | X |
| Excel 2007+ macro-enabled (XLSM) | X | X | X | X | X | ? | X | X |
|
Excel 2007+ Binary (XLSB) |
X | X | X | X | X | ? | X | X |
| PowerPoint 97-2003 (PPT) | X | - | ? | X | X | ? | X | ? |
| PowerPoint 2007+ (PPTX) | - | - | ? | X | X | ? | X | X |
| PowerPoint 2007+ macro-enabled (PPTM) | X | - | ? | X | X | ? | X | X |
| RTF | - | - | X | X | X | X | X | ? |
| CSV | - | - | X | - | - | - | - | - |
| SLK | - | X | X | - | - | - | - | - |
| MHT (from Word) | X | ? | ? | X | X | ? | ? | ? |
| MHT (from Excel) | ? | ? | ? | ? | ? | ? | ? | ? |
| Word 2003 XML | X | - | X | X | X | ? | ? | ? |
| Word 2016 XML | X | - | X | X | X | ? | ? | ? |
| Excel 2003 XML | ? | ? | ? | ? | ? | ? | ? | ? |
| Publisher (PUB) | X | - | ? | X | X | ? | ? | ? |
| Visio (VSDX) | X | - | ? | ? | ? | ? | ? | ? |
| Tools | msodde | oleobj | oleobj | oleobj |
VBA (Visual Basic for Applications) is a programming language used to automate tasks in Microsoft Office applications since 1997. VBA macros may be embedded into Word documents, Excel spreadsheets, PowerPoint presentations, etc. A VBA macro can be triggered automatically when opening or closing a file (after clicking “Enable Content”), and it can execute any action on the system such as dropping a file, executing a command, calling any DLL or ActiveX object. In practice, a VBA macro is just as powerful as any EXE.
More info: https://decalage.info/bheu2019
Since 2023, MS Office applications fully block VBA macros when a file is marked as coming from the Internet (e.g. downloaded or attached to an email, which adds the "Mark of the Web" aka MOTW to the file). As a result, this technique is much less used by attackers than it used to be.
However, there are still some cases when VBA macros can run, e.g. when the attacker manages to access an email account in a company or a SharePoint server, or when the user can be convinced to copy the file in a trusted location.
Excel 4 Macros offer similar functionality and risks as VBA macros, but the language and the engine are completely different. XLM Macros are composed of formulas in cells, and they only run on Excel.
Some references:
-
https://outflank.nl/blog/2018/10/06/old-school-evil-excel-4-0-macros-xlm/
-
https://outflank.nl/blog/2019/10/30/abusing-the-sylk-file-format/
-
https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/
XLM Macros are disabled by default since July 2021: https://techcommunity.microsoft.com/t5/excel-blog/excel-4-0-xlm-macros-now-restricted-by-default-for-customer/ba-p/3057905
DDE (Dynamic Data Exchange) is a Microsoft protocol to enable data sharing between applications. In some applications such as Word and Excel, it has been found that it was possible to abuse DDE to launch any command. It is even possible to trigger code execution in Excel from a simple CSV file, by embedding specific formulas.
Some references:
-
https://www.contextis.com/us/blog/comma-separated-vulnerabilities
-
https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/
-
https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
-
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2017/4053440
The ability to launch arbitrary commands using DDE has been progressively disabled by default in Word (2017) and then Excel (2022): https://msrc.microsoft.com/update-guide/en-US/vulnerability/ADV170021
OLE is a Microsoft protocol used to embed data from one application into a file from another application. For example, it can be used to embed an Excel chart into a Word document. In general, OLE objects cannot trigger the execution of arbitrary code or commands. However, in the past many vulnerabilities have been exploited thanks to OLE objects. For example, the vulnerability CVE-2017-11882 in the MS Equation Editor has been actively exploited by embedding malformed Equation OLE objects into Word and RTF documents.
A Package object is a specific type of OLE object that can be used to store any kind of file in a document. It can be simply created by dragging and dropping a file in Word or Excel, for example. When the user double-clicks on the Package object in a document, the file is extracted into a temporary directory and opened (after user confirmation), which can lead to malicious code execution.
Since 2020 MS Office applications can detect executable files and refuse to open them, so this technique is almost never used anymore. However, it may happen that new file formats could be used to bypass that filter.
This technique cannot trigger code execution by itself, but it is often used to send a first innocuous document by email, which contains a link to a template file from the Internet. The template file is then automatically downloaded and opened, and it may contain a malicious payload such as VBA macros or an exploit.
This technique is described in MITRE ATT&CK as Template Injection (T1221).
Instead of embedding an OLE object inside a document, it is possible to provide a URL where the OLE object is located. When the document is opened and the object is activated, MS Office attempts to download the OLE object.
Since MS Office uses the old Internet Explorer engine instead of Edge to download remote objects, this feature has been abused to trigger vulnerabilities such as CVE-2021-40444 and CVE-2022-30190 (Follina).
CustomUI is not a code execution technique by itself, but an alternative way to trigger a VBA macro from a remote file.
Those add-ins are specific DLL files that can be attached to a document, and which may execute malicious code if the user accepts to install them. They can be provided as additional files together with the document, or downloaded remotely from a URL inserted in the document.
Those add-ins are similar to documents containing VBA macros, meant to add custom features to Excel or PowerPoint. Excel VBA add-ins have the extension ".xlam" or ".xla", while PowerPoint VBA add-ins have the extension ".ppam" or ".ppa".