Detecting DDE in MS Office documents

Remote Code Execution, Maldoc 1 Minute

Dynamic Data Exchange is an old Microsoft technology that can be (ab)used to execute code from within MS Office documents. Etienne Stalmans and Saif El-Sherei from Sensepost published a blog post in which they describe how to weaponize MS Office documents.

We wrote 2 YARA rules to detect this in Office Open XML files (like .docx):

Update 1: our YARA rules detected several malicious documents in-the-wild.

Update 2: we added rules for OLE files (like .doc) and updated our OOXML rules based on your feedback.

// YARA rules Office DDE
// NVISO 2017/10/10 - 2017/10/12
// https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
 
rule Office_DDEAUTO_field {
  strings:
    $a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee][Aa][Uu][Tt][Oo]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/
  condition:
    $a
}
 
rule Office_DDE_field {
  strings:
    $a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/
  condition:
    $a
}

rule Office_OLE_DDEAUTO {
  strings:
    $a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a
}

rule Office_OLE_DDE {
  strings:
    $a = /\x13\s*DDE\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a
}

These rules can be used in combination with a tool like zipdump.py to scan XML files inside the ZIP container with the YARA engine:

The detection is based on regular expressions designed to detect fields containing the word DDEAUTO or DDE. By dumping the detected YARA strings with option –yarastringsraw, one can view the actual command:

Here is an example of the DDE rule firing:

You can also look for MS Office files containing DDE using this YARA rule in combination with ClamAV as described in this blog post.

Published by Didier Stevens

Published

52 thoughts on “Detecting DDE in MS Office documents

  1. Pingback: #microsoft is a gift that keeps giving.. To the #nsa et al. https:/… | Dr. Roy Schestowitz (罗伊)
  2. Pingback: YARA DDE rules: DDE Command Execution observed in-the-wild | NVISO LABS – blog
  3. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled – Professional Hackers
  4. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled – AnonymousMedia
  5. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled
  6. Pingback: Microsoft Office Attack Runs Malware Without Needing Macros - Groovy Cloud
  7. Pingback: La función incorporada de MS Office permite la ejecución de malware sin macros activada
  8. Pingback: SANS ISC Stormcast: Every day Community Safety Information Abstract; Cyber Safety Podcast | NETWORKFIGHTS.COM
  9. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled | TechNewsMix.com
  10. Pingback: Microsoft Office Attack Runs Malware Without Needing Macros | 95CN Security
  11. Pingback: Kritische Lücke in Microsoft Office ermöglicht Remote Code Execution - edv-tutorial
  12. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled – GeekFreak
  13. Pingback: Fitur Microsoft Office Ini Memungkinkan Eksekusi Malware Tanpa Mengaktifan Makro - Error 404 Cyber News
  14. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled - Amicki's Tech Store
  15. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled – Antivirus Studio
  16. Pingback: Macroless DOC malware that avoids detection with Yara rule – Furoner.CAT
  17. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled | DNN NEWS
  18. Pingback: Old MS Office feature weaponized in malspam attacks – Computer Security Articles
  19. Pingback: Old MS Office feature weaponized in malspam attacks | Computer Repair Newport RI 401-366-2249
  20. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled | ProDefence Security News | Website Protection | Antivirus - Firewall | Child Protection | Pc Protection
  21. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled – Cyber Security Research
  22. Pingback: Office DDEAUTO attacks – Secure Your Way | Professional IT Services & Consultation Firm
  23. Pingback: Malware abusing Microsoft Office DDE features - Koen Van Impe - vanimpe.eu

  24. Awesome work! It appears that older versions of MSWord (2007/2010 saving in XML-format) insert DDE using a SimpleField tag that won’t be caught by the regex above. Sample XML from a 2007 Word Doc:
    !Unexpected End of Formula

    a quick stab at a yara rule to catch it would be something like:
    $a = /w:instr=”\s*\b(DDE|DDEAUTO)\b.+;\s*”>/ nocase

    Reply

    1. The comment actually rendered the document XML sample in my original post. Here it is again using “code” meta-tag to (hopefully) avoid XML rendering:
      !Unexpected End of Formula

      Reply

    2. Trying again…replacing angle-brackets with square-brackets to avoid XML rendering:
      [w:fldSimple w:instr=” DDEAUTO c:\\Windows\\System32\\cmd.exe "/k calc.exe" “][w:r][w:rPr][w:b/][w:noProof/][/w:rPr][w:t]!Unexpected End of Formula[/w:t][/w:r][/w:fldSimple]

      Reply
  25. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled | Nastech
  26. Pingback: Overview of Content Published In October | Didier Stevens
  27. Pingback: Russian 'Fancy Bear' Hackers Using (Unpatched) Microsoft Office DDE Exploit - Sortiwa, Worlds largest web portal
  28. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit – NuclearCoffee
  29. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit – Security Newsfeeds
  30. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit | Nastech
  31. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit – AnonymousMedia
  32. Pingback: Fancy Bear Adopts New DDE Attack Against Microsoft Office - Security Boulevard
  33. Pingback: Russian 'Fancy Bear' Hackers Using (Unpatched) Microsoft Office DDE Exploit | TechNewsMix.com
  34. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit | Totally Secure
  35. Pingback: Russian 'Fancy Bear' Hackers Using (Unpatched) Microsoft Office DDE Exploit - Amicki's Tech Store
  36. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit – carding news
  37. Pingback: Microsoft Office Built-in Features Allow Malware Execution Without Enabling Macros - Cybcurity
  38. Pingback: Cybercriminals Are Taking Advantage Of Microsoft Office Vulnerability That Microsoft Doesn't Consider As Threatening - Cybcurity
  39. Pingback: Sicurezza informatica: Fancy Bear è tornato e stavolta sfrutta Office
  40. Pingback: Fonctionnalité intégrée de MS Office permettant l'exécution de programmes malveillants sans macros activées ~ Red Monarch News
  41. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit | Rajveer Shinghania
  42. Pingback: Update: Kritische Lücke in Microsoft Office ermöglicht Remote Code Execution | ISecM #Austria
  43. Pingback: The Winter Games in Korea and Support from Sports-ISAO | Sports - ISAO
  46. Pingback: HIDDEN RISKS IN THE MICROSOFT OFFICE SUITE - Votiro
  47. Pingback: dde – secblog
  48. Pingback: Built-in Feature of MS Office Lets Malware Execute Itself Without Macros Enabled – Tech N Gadgets
  49. Pingback: Update: Kritische Lücke in Microsoft Office ermöglicht Remote Code Execution - edv-tutorial
  50. Pingback: DDE and oledump, (Sun, Feb 21st) « CyberSafe NV

Leave a Reply