Talos: Office Macro Attacks Are on the Rise

- August 2, 2016

Cisco’s security research team Talos has discovered an increase in the number of attacks involving malicious macros embedded into Microsoft Office documents.

This style of attack has been around since the mid-90s but has found new life in recent months. Talos Technical Lead Martin Lee detailed in his blog post that Microsoft Office has made strides to prevent macros from being automatically opened. But when crafted just right, the filetypes are not validated and given a pass.

OOXML file types are validated by the MS Office component WWLIB.DLL, which confirms the MIME type of the file is as expected. When the file extension does not hint at a OOXML file type this step of validation always passes, even if the MIME type is actually OOXML. This means an OOXML document with macros included (DOCM or DOTM) will load successfully if it has a different filename extension. This is true even if OOXML files have non-OOXML file extensions, so long as MS Word is registered to handle the format.

The Talos team began tracking macro samples and noticed a rapid uptick in the delivery over the past few months, and also a pattern of generally the same four machine obfuscated macros. The samples have usually been DOTM files, which stands for “Word Open XML Macro-Enabled Document Template,” but the files were opened as a DOCX because of how they were crafted.

And the filetypes used in the examples Talos researchers discovered could also exist for other Microsoft Office programs like Excel and Powerpoint.

This article has focussed on MS Word, but similar OOXML formats exist for MS Excel and PowerPoint. PPTM files with embedded macros can masquerade as innocuous PPT presentations. Even worse, the same technique can be used to disguise MS Excel XLSM files with embedded macros as text-only CSV spreadsheet files, which Excel will happily open and execute the included code.

Read the rest of the Talos writeup here.