Dynamic Data Exchange is an old Microsoft technology that can be (ab)used to execute code from within MS Office documents. Etienne Stalmans and Saif El-Sherei from Sensepost published a blog post in which they describe how to weaponize MS Office documents.
We wrote 2 YARA rules to detect this in Office Open XML files (like .docx):
Update 1: our YARA rules detected several malicious documents in-the-wild.
Update 2: we added rules for OLE files (like .doc) and updated our OOXML rules based on your feedback.
// YARA rules Office DDE
// NVISO 2017/10/10 - 2017/10/12
// https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
rule Office_DDEAUTO_field {
strings:
$a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee][Aa][Uu][Tt][Oo]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/
condition:
$a
}
rule Office_DDE_field {
strings:
$a = /<w:fldChar\s+?w:fldCharType="begin"\/>.+?\b[Dd][Dd][Ee]\b.+?<w:fldChar\s+?w:fldCharType="end"\/>/
condition:
$a
}
rule Office_OLE_DDEAUTO {
strings:
$a = /\x13\s*DDEAUTO\b[^\x14]+/ nocase
condition:
uint32be(0) == 0xD0CF11E0 and $a
}
rule Office_OLE_DDE {
strings:
$a = /\x13\s*DDE\b[^\x14]+/ nocase
condition:
uint32be(0) == 0xD0CF11E0 and $a
}
These rules can be used in combination with a tool like zipdump.py to scan XML files inside the ZIP container with the YARA engine:
The detection is based on regular expressions designed to detect fields containing the word DDEAUTO or DDE. By dumping the detected YARA strings with option –yarastringsraw, one can view the actual command:
Here is an example of the DDE rule firing:
You can also look for MS Office files containing DDE using this YARA rule in combination with ClamAV as described in this blog post.
53 thoughts on “Detecting DDE in MS Office documents”