Maldoc Types
Below is a breakdown of commonly used MS Office file types used as maldocs and some of the techniques attackers use to make them malicious.
Microsoft Office Documentsβ
Microsoft Office documents, including Word, Excel, and PowerPoint files, are among the most frequently used maldocs by cyber threat actors. Users are accustomed to receiving and opening Office documents, making it easier for attackers to exploit this trust through phishing campaigns or targeted attacks. The inherent features of Microsoft Office documents, such as VBA macros, Dynamic Data Exchange, embedded OLE objects, and URL links, provide multiple avenues to deliver and execute malicious payloads.
Microsoft Word
.doc: Pre-2007 OLE document - may also contain VBA macros.docm: Post-2007 OOXML macro-enabled document.dotm: Post-2007 OOXML macro-enabled template
Microsoft Excel
.xls: Pre-2007 OLE workbook - may also contain VBA macros.xlsm: Post-2007 OOXML macro-enabled workbook.xltm: Post-2007 OOXML macro-enabled template.xlsb: Post-2007 OLE Binary workbook.slk: (Symbolic Link) Format for spreadsheet data in a textual format
Microsoft PowerPoint
.ppt: Pre-2007 OLE presentation - may contain VBA macros.pptm: Post-2007 OOXML macro-enabled presentation.potm: Post-2007 OOXML macro-enabled template.ppsm: Post-2007 OOXML macro-enabled slide show
Microsoft Access
.mdb: Pre-2007 OLE database - may also contain VBA macros.accdb: Post-2007 OLE Access database - may contain VBA macros.accde: Post-2007 OLE Compiled executable version, which can still contain VBA code
Microsoft Publisher
.pub: OLE publisher document - may also contain VBA macros
Microsoft Visio
.vsd: Pre-2007 OLE document - may also contain VBA macros.vsdm: Post-2007 OOXML macro-enabled drawing.vstm: Post-2007 OOXML macro-enabled template.vssm: Post-2007 OOXML macro-enabled stencil
Microsoft Outlook
.vcf: Contact file - can embed DDE commands
Techniquesβ
-
VBA Macros: Macros that can contain malicious payloads and are activated by user action. Visual Basic for Applications (VBA) and VBScript (VBS) are both scripting languages developed by Microsoft, but they are used in different contexts and have some key differences - namely that VBA provides additional capabilities, such as direct access to the Windows API, making them more dangerous than standalone VB scripts.
-
DDE (Dynamic Data Exchange): DDE is an older interprocess communication (IPC) mechanism developed by Microsoft that allows applications to share data and commands with each other. It uses formulas that, when the document is opened, asks the user if they want to run a specific command or program (e.g., launching cmd.exe or powershell.exe) to fetch data.
-
Embedded OLE Objects: OLE (Object Linking and Embedding) is a technology developed by Microsoft for integrating objects from one application into another, allowing for embedding, linking, and automation of objects between different software applications. Objects can contain malicious payloads and are activated by user action. These can be as simple as dragging and dropping a executable into a word document and encouraging the user to double click it when the document is open.
-
Hyperlinks: Any clickable hyperlink that can bring a user to a malicious URL that can perform credential harvesting via spoofed domains or drive-by downloading of malicious executables/scripts/exploit-kits. UNC paths can point to SMB shares hosted on malicious fileservers where an attacker can capture a user's password hash - as Windows automatically (depending on configuration) sends non-plaintext authentication information to SMB servers upon initial connection, where it can be used as part of an SMB relay attack, or cracked offline.