Maldoc uses template injection for macro execution

I recently came across a handful of malicious office documents (maldocs) whose network traffic struck me as a slightly odd. As you can see in the screenshot below, there are several HTTP requests to the hxxp://moveis-schuster-com.[ga] domain and some of these requests appear to be for a DOTM file. A DOTM file is a macro-enabled office template file, so I dug in a bit more.

Maldoc Initial HTTP Requests

As is typical in my workflow, I first inspected the document using oledump – no macros. This is no surprise as the HTTP traffic would indicate that the macros come later.

Original maldoc with no macros

My next step was to load the document using Office to see if I could identify how it was dynamically loading this content. I immediately noticed some abnormal behavior in how Office was loading the document – first was a message in the initial loading image that it was contacting a server, then came a message about downloading from our suspicious domain.

Office startup screen w/ request to suspicious domain

This jogged my memory about a template injection technique that I hadn’t seen in a while. Since the Microsoft Open Office XML files use a ZIP container, you can use a decompression utility (7-zip, Xarchiver, etc) to examine the internal structure.

Internal structure of maldoc archive

The essence of the template injection technique ( MITRE ATTACK reference) is to create a non-macro enabled document that uses a template that contains macros, which is loaded from a remote server when the document is opened. Once the original document is created, the file that defines the template is located at word -> _rels -> settings.xml.rels, the value of the “Target” attribute can be modified to point to the location where the malicious macro-enabled template exists.

Domain for malicious macro-enabled template

When the maldoc is opened, it will attempt to retrieve and execute this template. If the template is no longer accessible, it loads the document anyway and appears rather benign (that is, no errors are encountered). This also provides the threat actor with the ability to easily change out the payload.

This is certainly not a new technique, but one I haven’t encountered in a while and felt it was worth a quick write-up. If you want to get into a bit more detail about how these documents are created, there is a great write-up at this blog.

Sample MD5: 61ac759c2437328eb47cc061d2af9473
Any.Run: https://app.any.run/tasks/3377537d-37bd-4832-a8b4-fc2642f27a45/
Github (sample): https://github.com/jstrosch/malware-samples/tree/master/maldocs/unknown/2020/May