http://systemini-net.tweeterest.com/index.php/security/1766-renaming-office-files-is-enough-to-disguise-macro-malware Renaming Office Files Is Enough to Disguise Macro Malware
![Renaming Office Files Is Enough to Disguise Macro Malware]()
Macros have been used since the mid 1990s to spread malware and infect systems. Increased user awareness of the need to disable the macro function within Microsoft Word during the late 90s and early 2000s sent these malware into decline. However, a change in Microsoft (MS) Office file formats dating from 2007 is now being actively exploited to hide the presence of macros and distribute malware at an increasing rate.In this article, I show how MS Office file formats are being abused and obfuscated, and the extent of distribution of macro malware.Figure 1: file utility identification of five separate Microsoft Word files WHAT DO YOU MEAN BY MACROS IN DOCUMENT FILES? Documents & Macros Microsoft Office offers Visual Basic for Applications as a fully functional programming language that can be embedded within files to provide task automation. This functionality was abused by self-propagating viruses, such as Melissa in the late 1990s, leveraging the power of macro functionality with the default behavior of execution.Beginning with MS Office 2003, this behavior was curtailed with macro execution being disabled by default and GUI pop-ups informing users when macros are present. MS Office 2007 took a gigantic step forward in macro protection by having the default MS Word document file format unable to support macros. To achieve this, Microsoft introduced four separate file formats based on the OfficeOpen XML standard: File Extension File Type Macros Permitted DOCX compressed document No DOTX compressed template No DOCM compressed document Yes DOTM compressed template Yes Unlike Unix-based operating systems that inspect the file contents to determine the file type, MS Windows uses file extension, i.e. the characters following the list ‘.’ as the basis to determine which application will open a file when the file is clicked. When MS Office is installed, it associates itself with the above extensions. Thus, all of the the above file types will be opened by MS Word when clicked. DOCX – THERE ARE NO MACROS HERE! Figure 2: Attempting to save macro code to a DOCXDOC files, used by MS Word prior to MS Office 2007 allowed numerous components, including macros, to be embedded within the document. Users couldn’t be certain that a document was safe before opening the file. The OfficeOpen XML (OOXML) standard integrated in MS Office 2007 removed this ambiguity. Each of these file formats are zip archives that include XML files according to a common layout.The .xml component, found within the archive, provides the MIME type information for the other components within the file. Each of the four file formats supported by MS Word have unique MIME types. Only two, those associated with DOCM and DOTM, can save or run macros. If the Content_Types component asserts the MIME type for DOCX or DOTX then MS Word will not save or run macro code. CAN I JUST RENAME MY DOCX TO DOCM TO ADD MACRO CODE? One might reasonably ask if a DOCX can have macros added if the file is renamed to a DOCM. OOXML file formats are checked for filename extension – MIME type agreement, thus the answer is ‘No’.When Microsoft Word begins to open a document the filename is checked to see if the document is an OOXML file. Opening a false DOCM file will cause an error popup due to incorrect MIME type for DOCX being found inside the file data.Figure 3: A renamed DOCM file being opened with a DOCX file name File Extension Mime Type DOCX application/vnd.openxmlformats-officedocument.wordprocessingml.document.main xml DOCM application/vnd.ms-word.document.macroEnabled.main xml DOTX application/vnd.openxmlformats-officedocument.wordprocessingml.template.main xml DOTM application/vnd.ms-word.template.macroEnabledTemplate.main xml SO OOXML DOCUMENTS WITH MACROS MUST BE NAMED DOCM? In general, MS Word opens files based on the file data, not based on the file name extension. So long as MS Word can identify the data structure, it will open the file correctly. If a file is identified as a MS Office 2007 file, the file must internally present with the proper MIME type or it will cause a validation failure and the file will not open.OOXML file types are validated by the MS Office component WWLIB.DLL, which confirms the MIME type of the file is as expected. When the file extension does not hint at a OOXML file type this step of validation always passes, even if the MIME type is actually OOXML. This means an OOXML document with macros included (DOCM or DOTM) will load successfully if it has a different filename extension. This is true even if OOXML files have non-OOXML file extensions, so long as MS Word is registered to handle the format.Hence, DOCM files containing embedded macros can be disguised as other file formats by changing the file extension. For example, the RTF file format does not support MS Office macro code, but a DOCM file renamed to RTF will open within MS Office and can run embedded macro code. This tactic is currentlybeing exploited in the wild.Figure 4: MIME Type Validation if DOCX File Name in WWLIB.DLL Naive File Data Identification and OOXML In May 2016, we s...
Renaming Office Files Is Enough to Disguise Macro Malware
Macros have been used since the mid 1990s to spread malware and infect systems. Increased user awareness of the need to disable the macro function within Microsoft Word during the late 90s and early 2000s sent these malware into decline. However, a change in Microsoft (MS) Office file formats dating from 2007 is now being actively exploited to hide the presence of macros and distribute malware at an increasing rate.In this article, I show how MS Office file formats are being abused and obfuscated, and the extent of distribution of macro malware.Figure 1: file utility identification of five separate Microsoft Word files WHAT DO YOU MEAN BY MACROS IN DOCUMENT FILES? Documents & Macros Microsoft Office offers Visual Basic for Applications as a fully functional programming language that can be embedded within files to provide task automation. This functionality was abused by self-propagating viruses, such as Melissa in the late 1990s, leveraging the power of macro functionality with the default behavior of execution.Beginning with MS Office 2003, this behavior was curtailed with macro execution being disabled by default and GUI pop-ups informing users when macros are present. MS Office 2007 took a gigantic step forward in macro protection by having the default MS Word document file format unable to support macros. To achieve this, Microsoft introduced four separate file formats based on the OfficeOpen XML standard: File Extension File Type Macros Permitted DOCX compressed document No DOTX compressed template No DOCM compressed document Yes DOTM compressed template Yes Unlike Unix-based operating systems that inspect the file contents to determine the file type, MS Windows uses file extension, i.e. the characters following the list ‘.’ as the basis to determine which application will open a file when the file is clicked. When MS Office is installed, it associates itself with the above extensions. Thus, all of the the above file types will be opened by MS Word when clicked. DOCX – THERE ARE NO MACROS HERE! Figure 2: Attempting to save macro code to a DOCXDOC files, used by MS Word prior to MS Office 2007 allowed numerous components, including macros, to be embedded within the document. Users couldn’t be certain that a document was safe before opening the file. The OfficeOpen XML (OOXML) standard integrated in MS Office 2007 removed this ambiguity. Each of these file formats are zip archives that include XML files according to a common layout.The .xml component, found within the archive, provides the MIME type information for the other components within the file. Each of the four file formats supported by MS Word have unique MIME types. Only two, those associated with DOCM and DOTM, can save or run macros. If the Content_Types component asserts the MIME type for DOCX or DOTX then MS Word will not save or run macro code. CAN I JUST RENAME MY DOCX TO DOCM TO ADD MACRO CODE? One might reasonably ask if a DOCX can have macros added if the file is renamed to a DOCM. OOXML file formats are checked for filename extension – MIME type agreement, thus the answer is ‘No’.When Microsoft Word begins to open a document the filename is checked to see if the document is an OOXML file. Opening a false DOCM file will cause an error popup due to incorrect MIME type for DOCX being found inside the file data.Figure 3: A renamed DOCM file being opened with a DOCX file name File Extension Mime Type DOCX application/vnd.openxmlformats-officedocument.wordprocessingml.document.main xml DOCM application/vnd.ms-word.document.macroEnabled.main xml DOTX application/vnd.openxmlformats-officedocument.wordprocessingml.template.main xml DOTM application/vnd.ms-word.template.macroEnabledTemplate.main xml SO OOXML DOCUMENTS WITH MACROS MUST BE NAMED DOCM? In general, MS Word opens files based on the file data, not based on the file name extension. So long as MS Word can identify the data structure, it will open the file correctly. If a file is identified as a MS Office 2007 file, the file must internally present with the proper MIME type or it will cause a validation failure and the file will not open.OOXML file types are validated by the MS Office component WWLIB.DLL, which confirms the MIME type of the file is as expected. When the file extension does not hint at a OOXML file type this step of validation always passes, even if the MIME type is actually OOXML. This means an OOXML document with macros included (DOCM or DOTM) will load successfully if it has a different filename extension. This is true even if OOXML files have non-OOXML file extensions, so long as MS Word is registered to handle the format.Hence, DOCM files containing embedded macros can be disguised as other file formats by changing the file extension. For example, the RTF file format does not support MS Office macro code, but a DOCM file renamed to RTF will open within MS Office and can run embedded macro code. This tactic is currentlybeing exploited in the wild.Figure 4: MIME Type Validation if DOCX File Name in WWLIB.DLL Naive File Data Identification and OOXML In May 2016, we s...