Dynamic Data Exchange is an old Microsoft technology that can be (ab)used to execute code from within MS Office documents. Etienne Stalmans and Saif El-Sherei from Sensepost published a blog post in which they describe how to weaponize MS Office documents.
We wrote 2 YARA rules to detect this in Office Open XML files (like .docx):
Update 1: our YARA rules detected several malicious documents in-the-wild.
Update 2: we added rules for OLE files (like .doc) and updated our OOXML rules based on your feedback.
// YARA rules Office DDE // NVISO 2017/10/10 - 2017/10/12 // https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/ rule Office_DDEAUTO_field { strings: $a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee][Aa][Uu][Tt][Oo]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/ condition: $a } rule Office_DDE_field { strings: $a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/ condition: $a } rule Office_OLE_DDEAUTO { strings: $a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase condition: uint32be(0) == 0xD0CF11E0 and $a } rule Office_OLE_DDE { strings: $a = /\x13\s*DDE\b[^\x14]+/ nocase condition: uint32be(0) == 0xD0CF11E0 and $a }
These rules can be used in combination with a tool like zipdump.py to scan XML files inside the ZIP container with the YARA engine:
The detection is based on regular expressions designed to detect fields containing the word DDEAUTO or DDE. By dumping the detected YARA strings with option –yarastringsraw, one can view the actual command:
Here is an example of the DDE rule firing:
You can also look for MS Office files containing DDE using this YARA rule in combination with ClamAV as described in this blog post.
Awesome work! It appears that older versions of MSWord (2007/2010 saving in XML-format) insert DDE using a SimpleField tag that won’t be caught by the regex above. Sample XML from a 2007 Word Doc:
!Unexpected End of Formula
a quick stab at a yara rule to catch it would be something like:
$a = /w:instr=”\s*\b(DDE|DDEAUTO)\b.+;\s*”>/ nocase
The comment actually rendered the document XML sample in my original post. Here it is again using “code” meta-tag to (hopefully) avoid XML rendering:
!Unexpected End of Formula
Trying again…replacing angle-brackets with square-brackets to avoid XML rendering:
[w:fldSimple w:instr=” DDEAUTO c:\\Windows\\System32\\cmd.exe "/k calc.exe" “][w:r][w:rPr][w:b/][w:noProof/][/w:rPr][w:t]!Unexpected End of Formula[/w:t][/w:r][/w:fldSimple]
公司宣传片拍摄哪家好_公司宣传片制作哪家强_公司宣传片拍摄哪家强_宣传片拍摄报价企业宣传片制作d2film.com影视视频制作公司QQ30998
企业宣传片制作d2film.com影视视频制作公司QQ30998 http://www.d2film.com/
结婚mv创意视频短片_婚礼创意mv婚礼上播放_婚礼摄像师_婚礼摄像价格_婚礼高清摄像婚礼跟拍视频5aivideo.com婚礼摄像微电影QQ73595
婚礼摄影MV-5aivideo.com婚礼摄像微电影QQ73595 http://www.5aivideo.com/