Didier Stevens

Monday 4 April 2022

.ISO Files With Office Maldocs & Protected View in Office 2019 and 2021

Filed under: maldoc,Malware,Uncategorized — Didier Stevens @ 0:00

We have seen ISO files being used to deliver malicious documents via email. There are different variants of this attack.

One of the reasons to do this, is to evade “mark-of-web propagation”.

When a file (attached to an email, or downloaded from the Internet) is saved to disk on a Windows system, Microsoft applications will mark this file as coming from the Internet. This is done with a ZoneIdentifier Alternate Data Stream (like a “mark-of-web”).

When a Microsoft Office application, like Word, opens a document with a ZoneIdentifier ADS, the document is opened in Protected View (e.g., sandboxed).

But when an Office document is stored inside an ISO file, and that ISO has a ZoneIdentifier ADS, then Word will not open the document in Protected View. That is something I observed 5 years ago.

But this has changed recently. When exactly, I don’t know (update: August 2021).

But when I open an Office document stored inside an ISO file marked with a ZoneIdentifier ADS, Office 2021 will open the document in protected view:

With an unpatched version of Office 2019, that I installed a year ago, that same file is not opened in Protected View:

After updating Office:

Word’s behavior has changed:

The file is now opened in Protected View.

If you want to test this yourself, you can use my ZoneIdentifier tool to easily settings a “mark-of-web” without having to download your test file from the Internet:

Or you can just add the ZoneIdentifier ADS with notepad.

I did the same test with Office 2016, I updated an old version and: the document is not opened in Protected View.

I don’t know exactly when Microsoft Office 2019 was updated so that it would open documents in Protected View when they are inside an ISO file marked as originating from the Internet. But if you do know, please post a comment.

Update: this change happened in August 2021. See comments below. Thanks Philippe.

Thursday 24 December 2020

Video: Using numbers-to-string.py To Analyze FireEye Maldocs

Filed under: My Software,video — Didier Stevens @ 0:00

I created a video where I use my updated numbers-to-string.py tool to analyze a maldoc created with FireEye’s red team tool.

Wednesday 14 November 2018

Video: Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt

Filed under: maldoc — Didier Stevens @ 0:00

I produced a video for my blog post “Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt“:

Thursday 25 October 2018

Analyzing PowerPoint Maldocs with oledump Plugin plugin_ppt

Filed under: maldoc,My Software — Didier Stevens @ 0:00

VBA macros inside a PowerPoint document are not stored directly inside streams, but as records in the “PowerPoint Document” stream. I have a plugin to parse the records of the “PowerPoint Document” stream, but I failed to extract the embedded, compressed OLE file with the macros. Until a recent tweet by @AngeAlbertini brought this up again. On his sample too I failed to extract the compressed OLE file, but then I remembered I had fixed a problem with zlib extraction in pdf-parser.py. Taking this code into plugin_ppt.py fixed the decompression problems.

VBA macros in a PowerPoint document do not appear directly in streams:

Plugin plugin_ppt parses records found in stream “PowerPoint Document”:

Each line represents a record, prefixed by an index generated by the plugin (to easily reference records). Records with a C indicator (like 1 and 435) contain sub-records. Records prefixed with ! contain an embedded object.

Record 441 (RT_ExternalOleObjectStg) interests us because it contains an OLE file with VBA macros.

Plugin option -s can be used to select this record:

Plugin option -a can then be used to do an hex/ascii dump:

The first four bytes are the size, and then follows the zlib compressed OLE file (as indicated by 0x78).

This OLE file can be decompressed and extracted with option -e, but pay attention to use option -q (quiet) so that oledump will only report the output of the plugin, and nothing else. This can then be piped into a second instance of oledump:

And now we can extract the VBA macros:

oledump_V0_0_38.zip (https)
MD5: C1D7F71A390497A516F67D798BA25128
SHA256: 4CADEE69D024E9242CDA0CE3A9C22BCB1CAFF9D5BA2D946519C6B7C18F895B81

Friday 14 October 2016

Analyzing Office Maldocs With Decoder.xls

Filed under: maldoc,Malware,My Software — Didier Stevens @ 13:27

There are Office maldocs out there with some complex payload decoding algorithms. Sometimes I don’t have the time to convert the decoding routines to Python, and then I will use the VBA interpreter in Excel. But I have to be careful not to execute the payload, just decode it. In the following video, I show how I do this.

Tools: oledump.py, decoder.xls

Sample: 2f918f49c3f926bb1538eaad6e8e6883

Wednesday 8 April 2015

Quickpost: Maldocs: VBA And Pastebin

Filed under: Malware — Didier Stevens @ 20:24

Since a day or two I’m seeing yet another trick used by malware authors in their VBA macros.

The sample I’m looking at is 26B857A0A57B89166584CBB7167CAA19.

The VBA macro downloads base64 encoded scripts from Pastebin:



The scripts are delimited by HTML-like tags like <text10>. Tags that start with stext are scripts for Windows XP systems, and tags that start with text are for Windows Vista and later. This difference is for Powershell: on XP, VBS scripts are executed, and on more recent systems, Powershell scripts are executed.

The URL of the payload comes from another Pastebin entry:


Correct: that trojan is hosted on Dropbox.

Quickpost info

Monday 2 January 2023

Overview of Content Published in 2022

Filed under: Announcement — Didier Stevens @ 0:00
Here is an overview of content I published in 2022:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries: NVISO blog posts: NVISO Videos:

Thursday 16 June 2022

Discovering A Forensic Artifact

Filed under: Forensics,Hacking,maldoc — Didier Stevens @ 0:00

While developing my oledump plugin plugin_olestreams.py, I noticed that the item moniker’s name field (lpszItem) values I observed while analyzing Follina RTF maldocs, had a value looking like _1715622067:

The number after the underscore (_), is derived from the timestamp when the item moniker was created. That timestamp is expressed as an epoch value in local time, to which a constant number is added: 61505155.

I figured this out by doing some tests. 61505155 is an approximation: I might be wrong by a couple of seconds.

Item name _1715622067 is the value you find in Follina maldocs created from this particular RTF template made by chvancooten. 1715622067 minus 61505155 is 1654116912. Converting epoch value 1654116912 to date & time value gives: Wednesday, June 1, 2022 8:55:12 PM. That’s when that RTF document was created.

RTF documents made from this template, can be detected by looking for string 0c0000005f3137313536323230363700 inside the document (you have to look for this hexadecimal string, not case sensitive, because OLE files embedded in RTF are represented in hexadecimal).

Notice that the newest template in that github repository is taken from a cve-2017-0199 RTF template document, and that it no longer contains a item moniker.

But it does contain another timestamp:

This hexadecimal string can also be used for detection purposes: 906660a637b5d201

I used the following YARA rules for a retrohunt (34 matches):

rule follina_rtf_template_1 {
        $a = "0c0000005f3137313536323230363700" nocase

rule follina_rtf_template_2 {
        $a = "906660a637b5d201" nocase

Notice that I do not include a test for RTF documents in my rules: these rules also detect Python program follina.py.

And if you are a bit familiar with the RTF syntax, you know that it’s trivial to modify such RTF documents to avoid detection by the above YARA rules.

Later I will spend some time to find the actual code that implements the generation of the item value _XXXXXXXXXX. Maybe you can find it, or you already know where it is located.

Sunday 1 May 2022

Overview of Content Published in April

Filed under: Announcement — Didier Stevens @ 10:16
Here is an overview of content I published in April:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries: NVISO blog posts: NVISO Videos:

Wednesday 1 December 2021

Overview of Content Published in November

Filed under: Announcement — Didier Stevens @ 0:00
Here is an overview of content I published in November:

Blog posts: YouTube videos: Videoblog posts: SANS ISC Diary entries: NVISO blog posts:

Next Page »

Blog at WordPress.com.