Can Document Files Be Trusted?

How a Single File Can Compromise Your Organization

By Uriel Kosayev (@MalFuzzer)

In today’s era, there are a variety of threats in the cyber landscape but one of the biggest threats out there mostly initially starts from a rogue email that is attached with a malicious document file. Most people fall into such traps due to a lack of awareness and lack of proper email protection solutions.

There are several file formats that can be weaponized as a first stage of the attack and infiltrate the organization through emails. In a lot of cases, the weaponized file will be based on Doc, Docx, Docm, XLS, or XLSM file formats. In this article, we will explain what is a downloader, what is a Macros (specifically VBA) and in addition, we will present an investigation of a malicious MS-word file to strengthen the understanding and awareness of such threats.

Prologue – Macros as a Malicious Service

Macros are a way of automating certain tasks such as data calculations, data formatting, and much more. Looks very legit right? Not so fast. In reality, an attacker can abuse Macros to execute system commands, download malicious files, and even deobfuscate itself in runtime. Specifically speaking, when we refer to macros in the Microsoft Office suite (e.g. Word, Excel) we refer to VBA-based Macros. Let us dissect some downloaders.

What is a Downloader

In a practical and simple language, a downloader is a file that is initially executed on a target (e.g. victim) system, mainly with the interaction of the user, after double-clicking the malicious file, it downloads and executes the next stages of the malware. A great example of malware that is based on this kind of attack vector is banker malware such as Emotet and Ursnif. In fact, such malware is not exploiting only the email vector, but we will stick to the email attack vector for the sake of the article.

Brief Technical Analysis

We decided to do a brief analysis of a simple downloader that we found in VirusTotal. Let’s start with basic threat intelligence.

Below you can see a high detection rate of our specimen dubbed as DDqFM.docm:

And an interesting domain name, hxxp:// that we will try to cross-reference in the VBA of the malicious word document file:

With a simple WHOIS search, we can understand that the attackers that crafted this malicious document used a free Dynamic DNS service dubbed as (funny name for such service). Below is a screenshot of the Dynamic DNS service provider:

Enough with threat intelligence, let’s dig into the file.

First of all, we’re going to validate the file based on its file format magic value:


As we can see, the file header starts with the magic value of PK (0x504B0304) that indicating that the specimen file is a compressed Word document (Docm) file.

Furthermore, when we open the file with a ZIP-like file explorer like 7-ZIP, we can view the inner file structure. Below we can see that there are two VBA streams that indicate that there is a use of Macros-VBA, vbaProject.bin, and vbaData.xml:

At this point, we will extract the relevant malicious VBA code. First, we need to get the index of the relevant malicious code streams so we extract it and further analyze it, below you can see that we used to dump the index list:

Here we can notice that the index of streams A3 and A4 are marked with the ‘M’ flag indicating Macro code that is executed when the document file gets double-clicked by the victim.

Next, we dump the A3 and A4 data streams as can be seen below:

Now we have two files, we will analyze the A3.bin file because it has the main malicious functionality of the downloader.

Below is a subroutine that tries to disable MS-Word from alerting a usage of Macro code. This is done with the help of manipulating two registry values, one for Excel the other for MS-Word:


Then, there is a call to a function named MPS. Below is a screenshot of the MPS subroutine:

The above subroutine basically attempts to execute the next stage of the malware that of course, we will not discuss for the sake of this article. If the attempted file does not exist under the desired downloaded path (A.K.A. %temp%), the downloader attempts to download the next stage file dubbed as “cache1.exe” by calling the next subroutine named FDW. Below is a screenshot of the FDW subroutine:

The subroutine attempts to download the stage of the attack, the “cache1.exe” executable file with a simple HTTP-GET request method from hxxp:// domain and save it under the %temp% path.

Epilogue – This is Not The End

In this article, we briefly explained and analyzed a malicious VBA Macros-based downloader. As we understood, such malicious payloads mainly infiltrate our organizations through emails. We recommend you test your organization against such attacks.