Detecting Embedded Content in OOXML Documents
Contents
Detecting Embedded Content in OOXML Documents
On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents—specifically those in the Office Open XML (OOXML) file format. Additionally, we’re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique.
OOXML File Format
Beginning with Microsoft Office 2007, the default file format for Excel, PowerPoint, and Word documents switched from an Object Linking and Embedding (OLE) based format to OOXML. For now, the only part of this that’s important to understand is OOXML documents are just a bunch of folders and files packaged into a ZIP archive. Let’s look at the Word document this blog post is being written in (Figure 1), for example:
➜ file example.docx
example.docx: Microsoft Word 2007+
➜ unzip -v example.docx
Archive: example.docx
Length Method Size Cmpr Date Time …
On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents—specifically those in the Office Open XML (OOXML) file format. Additionally, we’re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique.
OOXML File Format
Beginning with Microsoft Office 2007, the default file format for Excel, PowerPoint, and Word documents switched from an Object Linking and Embedding (OLE) based format to OOXML. For now, the only part of this that’s important to understand is OOXML documents are just a bunch of folders and files packaged into a ZIP archive. Let’s look at the Word document this blog post is being written in (Figure 1), for example:
➜ file example.docx
example.docx: Microsoft Word 2007+
➜ unzip -v example.docx
Archive: example.docx
Length Method Size Cmpr Date Time …
IoC
0dc39af4899f6aa0a8d29426aba59314
252227b8701d45deb0cc6b0edad98836
397ba1d0601558dfe34cd5aafaedd18e
3bdfaf98d820a1d8536625b9efd3bb14
252227b8701d45deb0cc6b0edad98836
397ba1d0601558dfe34cd5aafaedd18e
3bdfaf98d820a1d8536625b9efd3bb14