A while ago, a new technique was developed to execute arbitrary code via a Word document: an online video is embedded and the HTML code for the embedded video is modified with JavaScript that launches a Windows executable.
This technique does not rely on VBA macros and requires the use of the .docx format (for Word). This format is essentially a ZIP container with XML files, as can be seen with zipdump (a tool to analyze ZIP files):
Searching for keyword webVideoPr with an ad-hoc YARA rule can help identifying documents with online videos:
The embedded payload in Cymulate’s proof of concept document is a Windows executable (PE file) encoded in BASE64. As such, it’s easy to extract from document.xml and decode with a tool like base64dump:
We created two ClamAV rules to detect documents with online videos:
ClamAV.MSOffice-online-video.msSaveOrOpenBlob;Target:0;0&1&2&3;3C773A646F63756D656E7420786D6C6E733A7770633D22687474703A2F2F736368656D61732E6D6963726F736F66742E636F6D2F6F66666963652F776F72642F::i;776562566964656F5072;656D62656464656448746D6C;6D73536176654F724F70656E426C6F62::i ClamAV.MSOffice-online-video;Target:0;0&1&2;3C773A646F63756D656E7420786D6C6E733A7770633D22687474703A2F2F736368656D61732E6D6963726F736F66742E636F6D2F6F66666963652F776F72642F::i;776562566964656F5072;656D62656464656448746D6C
One is for documents with online videos, while the other one is for documents with online videos that use msSaveOrOpenBlob to launch arbitrary code.
This code execution technique relies on JavaScript, which means detection by our ClamAV rules can, of course, be evaded with appropriate JavaScript obfuscation.
2 thoughts on “Detecting and Analyzing Microsoft Office Online Video”