Tuesday, July 21, 2020

Detecting Shapes In Office Documents

22 July 2020

From Red Teams to the feared "nation state" APT, the use of malicious VBA macros to gain initial access is a popular technique. Prevention controls have been adopted to warn users or even disable macros altogether. What if a native functionality in VBA existed to download images (very common) that contained malicious commands? More importantly, how would we go about detecting this technique when used for malicious purposes?


Greg Linares, @Laughing_Mantis has written two great articles on this technique and how it could be used for evil. We will not be covering what Greg has already explained in depth, instead we will look at some probable areas that would assist in detection.

Depending on your environment, the downloading and insertion of images in documents may be relatively common. The popularity of using VBA to execute malicious commands means that defenders are well aware of detection use cases needed to stop these techniques. As with lolbins, the use of MsoShapes is native to VBA and simply extends its functionality for nefarious reasons.

As defenders, we look for the use of Windows API's, PowerShell execution, etc. to identify suspect documents. InlineShapes makes very little noise, meaning we have to roll up our sleeves and dig into what is happening.

How Do I Detect This?

For this post, I will be using Sysmon to log endpoint/network data, and Splunk to visualize and query the logs. This post will assume the suspect document has already been opened, and macros allowed to run.

As stated above, we know a Word document was opened, so we can skip on the Splunk search for process creation under winword.exe.  What would be of immediate interest to us is to find out what if any DLL's were loaded.

Again, the use of macros may not set off alarm bells for you, but we now know that a macro was indeed executed by Word. Unfortunately, we have no idea whether or not it was malicious.

Taking our detection route a step further, we have confirmation that the word document made a connection outside of our network. May be malicious, may be standard practice depending on what types of documents are being exchanged.

Taking a look at Zeek's http.log, we can confirm an Office product made a request for file with the extension ".emf".  In the above screen shot, I also tested opening the document directly from Outlook, hence the two different User-Agents.

From our logs, it seems that the macro made a connection to an outside network, requested an .emf file, and we have evidence of the downloaded cache of the file. If you read Greg's articles, the EMF file can be deleted to prevent analysis. This was confirmed in my lab, and will explain why the difference in filenames among the images.

Depending on what commands are provided in the EMF, time is of the essence to identify the cache location of the file and get eyes on.

After opening the file again, I was able to get a look at what interesting strings were returned from one of the EMF files. Notice, that this test file is not malicious and is merely assisting us in identifying behavior of this technique. I am looking forward to updates from Greg regarding what can be done with these EMF files.


We have a good bit of information on our hands that we can analyze the events together by time to get an idea of what has occurred.  There is still much more that can be done to strengthen detection in this technique. I will next look to see how we can identify and detect the use of AddPicture in VBA code, as this method is required for the downloading of the image.

As this technique gets more eyes on it and commands are developed to evade detections by way of the EMF file, it will be interesting to see what creativity we as defenders can come up with. Please see the below references for more information on this technique.



JPCert's Log Analysis Training

6 Aug 2020 About a week or so ago, JPCert released their Log Analysis training slides and corresponding CSV files for each hands-on exercise...