New macros delivering malware push past Office defenses

Changing a document's file extension enables attackers to disguise DOCM files with embedded macros.
Changing a document's file extension enables attackers to disguise DOCM files with embedded macros.

A slew of new macros delivering malware have been detected hiding within Microsoft (MS) Office documents, according to Talos.

While not a new attack technique, the strategy saw a decline around 15 years ago owing to user awareness. However, this vector is again being actively exploited to disguise the presence of macros and spread malware "at an increasing rate."

Four distinct file formats based on the OfficeOpen XML (OOXML) standard were introduced in 2007 to replace the earlier version based on programming language Visual Basic for Applications. This step disabled macro execution by default and alerted users to the presence of macros with GUI popups.

Prior to the change, Word docs were allowed to embed macros within files, thus users were unaware whether a file was safe or not to open. But, the change to the OOXML standard, introduced zip archives that include XML files with MIME type information for the other components within the file. Only two, those with DOCM and DOTM, can save or run macros.

"When Microsoft Word begins to open a document the filename is checked to see if the document is an OOXML file," Talos explained. "Opening a false DOCM file will cause an error popup due to incorrect MIME type for DOCX being found inside the file data."

However, simply changing a document's file extension is now enabling attackers to disguise DOCM files with embedded macros and evade file type detection by Microsoft Office, the Talos researchers discovered.

“For example, the RTF file format does not support MS Office macro code, but a DOCM file renamed to RTF will open within MS Office and can run embedded macro code,” Talos said. The tactic, they added, is already being abused in the wild.

The researchers said they've detected a sharp spike in the deployment rate over the last several months.

The strategy can also be deployed within Excel and PowerPoint documents, they said.

Users should remain suspicious when receiving Office docs from unknown parties as ‘safe' file formats may still contain malicious code, they concluded.

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS