![]() ![]() If we open the document without network connectivity (to prevent the automatic execution), we can spot where this object is located. The relationship with Id="rID6″ is loaded by the main document.xml file. Opening reveals an interesting external URL, pointing to another document. Since OpenXML files are archives, they can be decompressed to reveal their content.XML A quick check using oletools indicates that the file has the OpenXML format and no macros. The initial document was reported by on Twitter. The diagram below summarizes the different steps that this attack takes, from the original document all the way to the malware payload. Instead, the benign document acted as a kind of Trojan horse that made its way to the end user’s desktop, where it would finally show its real intent. While attackers could have sent the exploit-laced document first, that might have triggered detection and quarantine at the email gateway. Victims will be none-the-wiser as the infection process happens in the background, while their Word document finally loads what looks like legitimate content. The several-step removed payload is a commercial Remote Administration Tool that, in this case, is used for nefarious purposes. In this case, the unsuspecting user opening the decoy Word document will trigger an automatic (no click or interaction required) download of a malicious RTF file that deploys an exploit (CVE-2017-8759), which ends up distributing the final malware payload. Most malicious Microsoft Office documents involve either macros, embedded scripts, or exploits and are typically delivered via email. This then loads another document that contains an exploit. In this post, we take a look at a Microsoft Word document which itself is somewhat clean, but is used to launch a multi-stage attack that relies on the hyperlink feature in the OpenXML format. ![]()
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |