One of the many strategies used by cybercriminals to try to infect their victims’ computers is by sending a document from the Office suite (text documents, spreadsheets, presentations, among others) with malicious content. The document can be attached in an email or in some cases compressed within another file, for example a ZIP file. These documents used as a decoy usually refer to different topics (invoices, receipts, etc.) with the aim of making people believe that it is a legitimate file and thus trick the user into executing it.
Something very important to keep in mind about these threats are the extensions with which the Office files end, and we will see which are the most used by these threats.
▸Macros
A macro is a series of instructions grouped under the same command that allows a task to be executed automatically in a document. In this way, cybercriminals develop macros (usually using the Visual Basic programming language) to put them inside documents for malicious purposes.
▸OLE or Object Linking and Embedding
OLE is a technology developed by Microsoft that allows you to take an Object from one document and place it in another; for example, include a table from an Excel spreadsheet in a Word document. Inclusion can be done by linking against another application, thus allowing the data to not be in the original file. Another option may be that they are embedded (embedding) making them part of the same document and detaching them from their source file. Criminals can use these OLE objects to include malicious code developed, for example, in Visual Basic or JavaScript, to be executed when the user interacts with them.
▸Files with an extension ending with X
We can open these files with some compression / decompression tool. Once unzipped, we will observe the existence of many files. For example, the [Content_Types] .xml file that contains information for the entire document; or files that end with the extension “rels” (for example “document.xml.rels”) that are used to establish relationships between different sections of the document – styles, footer or URL with external links.
The best thing we can do to avoid these Office threats is to search for the file in tools that offer the possibility of analyzing files on different security solutions, as well as searching a file by hash or searching from a URL, before opening Some of these documents must have macro protection enabled, etc.
It is important to remember that cybercriminals are constantly creating new evasion or obfuscation techniques, so it is possible that some of these techniques (or all) cannot be applied in a particular case and that is why it is important to stay informed and alert.
Other reads:
Macro Malware threats designed to fool the victims
VBA Stomping malicious spawn technique
Threats you face every day within E-mail
