Detecting DDE in MS Office documents

Dynamic Data Exchange is an old Microsoft technology that can be (ab)used to execute code from within MS Office documents. Etienne Stalmans and Saif El-Sherei from Sensepost published a blog post in which they describe how to weaponize MS Office documents.

We wrote 2 YARA rules to detect this in Office Open XML files (like .docx):

Update 1: our YARA rules detected several malicious documents in-the-wild.

Update 2: we added rules for OLE files (like .doc) and updated our OOXML rules based on your feedback.

// YARA rules Office DDE
// NVISO 2017/10/10 - 2017/10/12
// https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
 
rule Office_DDEAUTO_field {
  strings:
    $a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee][Aa][Uu][Tt][Oo]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/
  condition:
    $a
}
 
rule Office_DDE_field {
  strings:
    $a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/
  condition:
    $a
}

rule Office_OLE_DDEAUTO {
  strings:
    $a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a
}

rule Office_OLE_DDE {
  strings:
    $a = /\x13\s*DDE\b[^\x14]+/ nocase
  condition:
    uint32be(0) == 0xD0CF11E0 and $a
}

These rules can be used in combination with a tool like zipdump.py to scan XML files inside the ZIP container with the YARA engine:

The detection is based on regular expressions designed to detect fields containing the word DDEAUTO or DDE. By dumping the detected YARA strings with option –yarastringsraw, one can view the actual command:

Here is an example of the DDE rule firing:

You can also look for MS Office files containing DDE using this YARA rule in combination with ClamAV as described in this blog post.

47 thoughts on “Detecting DDE in MS Office documents

  1. Pingback: #microsoft is a gift that keeps giving.. To the #nsa et al. https:/… | Dr. Roy Schestowitz (罗伊)

  2. Pingback: YARA DDE rules: DDE Command Execution observed in-the-wild | NVISO LABS – blog

  3. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled – Professional Hackers

  4. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled – AnonymousMedia

  5. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled

  6. Pingback: Microsoft Office Attack Runs Malware Without Needing Macros - Groovy Cloud

  7. Pingback: La función incorporada de MS Office permite la ejecución de malware sin macros activada

  8. Pingback: SANS ISC Stormcast: Every day Community Safety Information Abstract; Cyber Safety Podcast | NETWORKFIGHTS.COM

  9. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled | TechNewsMix.com

  10. Pingback: Microsoft Office Attack Runs Malware Without Needing Macros | 95CN Security

  11. Pingback: Kritische Lücke in Microsoft Office ermöglicht Remote Code Execution - edv-tutorial

  12. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled – GeekFreak

  13. Pingback: Fitur Microsoft Office Ini Memungkinkan Eksekusi Malware Tanpa Mengaktifan Makro - Error 404 Cyber News

  14. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled - Amicki's Tech Store

  15. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled – Antivirus Studio

  16. Pingback: Macroless DOC malware that avoids detection with Yara rule – Furoner.CAT

  17. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled | DNN NEWS

  18. Pingback: Old MS Office feature weaponized in malspam attacks – Computer Security Articles

  19. Pingback: Old MS Office feature weaponized in malspam attacks | Computer Repair Newport RI 401-366-2249

  20. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled | ProDefence Security News | Website Protection | Antivirus - Firewall | Child Protection | Pc Protection

  21. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled – Cyber Security Research

  22. Pingback: Office DDEAUTO attacks – Secure Your Way | Professional IT Services & Consultation Firm

  23. Pingback: Malware abusing Microsoft Office DDE features - Koen Van Impe - vanimpe.eu

  24. Jon Ketchum

    Awesome work! It appears that older versions of MSWord (2007/2010 saving in XML-format) insert DDE using a SimpleField tag that won’t be caught by the regex above. Sample XML from a 2007 Word Doc:
    !Unexpected End of Formula

    a quick stab at a yara rule to catch it would be something like:
    $a = /w:instr=”\s*\b(DDE|DDEAUTO)\b.+;\s*”>/ nocase

    Like

    Reply
    1. Jon Ketchum

      The comment actually rendered the document XML sample in my original post. Here it is again using “code” meta-tag to (hopefully) avoid XML rendering:
      !Unexpected End of Formula

      Like

      Reply
    2. Jon Ketchum

      Trying again…replacing angle-brackets with square-brackets to avoid XML rendering:
      [w:fldSimple w:instr=” DDEAUTO c:\\Windows\\System32\\cmd.exe "/k calc.exe" “][w:r][w:rPr][w:b/][w:noProof/][/w:rPr][w:t]!Unexpected End of Formula[/w:t][/w:r][/w:fldSimple]

      Like

      Reply
  25. Pingback: MS Office Built-in Feature Allows Malware Execution Without Macros Enabled | Nastech

  26. Pingback: Overview of Content Published In October | Didier Stevens

  27. Pingback: Russian 'Fancy Bear' Hackers Using (Unpatched) Microsoft Office DDE Exploit - Sortiwa, Worlds largest web portal

  28. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit – NuclearCoffee

  29. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit – Security Newsfeeds

  30. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit | Nastech

  31. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit – AnonymousMedia

  32. Pingback: Fancy Bear Adopts New DDE Attack Against Microsoft Office - Security Boulevard

  33. Pingback: Russian 'Fancy Bear' Hackers Using (Unpatched) Microsoft Office DDE Exploit | TechNewsMix.com

  34. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit | Totally Secure

  35. Pingback: Russian 'Fancy Bear' Hackers Using (Unpatched) Microsoft Office DDE Exploit - Amicki's Tech Store

  36. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit – carding news

  37. Pingback: Microsoft Office Built-in Features Allow Malware Execution Without Enabling Macros - Cybcurity

  38. Pingback: Cybercriminals Are Taking Advantage Of Microsoft Office Vulnerability That Microsoft Doesn't Consider As Threatening - Cybcurity

  39. Pingback: Sicurezza informatica: Fancy Bear è tornato e stavolta sfrutta Office

  40. Pingback: Fonctionnalité intégrée de MS Office permettant l'exécution de programmes malveillants sans macros activées ~ Red Monarch News

  41. Pingback: Russian ‘Fancy Bear’ Hackers Using (Unpatched) Microsoft Office DDE Exploit | Rajveer Shinghania

  42. Pingback: Update: Kritische Lücke in Microsoft Office ermöglicht Remote Code Execution | ISecM #Austria

  43. Pingback: The Winter Games in Korea and Support from Sports-ISAO | Sports - ISAO

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s