Detecting Embedded Content in OOXML Documents
Threat Research 2021-08-18
On Advanced Practices, we are always looking for new ways to find malicious activity and track adversaries over time. Today we’re sharing a technique we use to detect and cluster Microsoft Office documents—specifically those in the Office Open XML (OOXML) file format. Additionally, we’re releasing a tool so analysts and defenders can automatically generate YARA rules using this technique.
OOXML File Format
Beginning with Microsoft Office 2007, the default file format for Excel, PowerPoint, and Word documents switched from an Object Linking and Embedding (OLE) based format to OOXML. For now, the only part of this that’s important to understand is OOXML documents are just a bunch of folders and files packaged into a ZIP archive. Let’s look at the Word document this blog post is being written in (Figure 1), for example:
➜ file example.docx example.docx: Microsoft Word 2007+
➜ unzip -v example.docx Archive: example.docx
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
1445 Defl:S 358 75% 01-01-1980 00:00 576f9132 [Content_Types].xml
590 Defl:S 239 60% 01-01-1980 00:00 b71a911e _rels/.rels
1559 Defl:S 407 74% 01-01-1980 00:00 33ce17ac word/_rels/document.xml.rels
10861 Defl:S 2480 77% 01-01-1980 00:00 f0af2147 word/document.xml
8393 Defl:S 1746 79% 01-01-1980 00:00 9867f4b6 word/theme/theme1.xml
4725 Defl:S 1416 70% 01-01-1980 00:00 718205c5 word/settings.xml
655 Defl:S 295 55% 01-01-1980 00:00 bf8dd4bd word/webSettings.xml
755 Defl:S 367 51% 01-01-1980 00:00 5bf1cf49 docProps/core.xml
991 Defl:S 476 52% 01-01-1980 00:00 bad67489 docProps/app.xml
30308 Defl:S 3104 90% 01-01-1980 00:00 ce0f21cd word/styles.xml
7781 Defl:S 952 88% 01-01-1980 00:00 9f45bf02 word/numbering.xml
2230 Defl:S 559 75% 01-01-1980 00:00 63baaf8c word/fontTable.xml
-------- ------- --- -------
70293 12399 82% 12 files
Figure 1: unzip -v output for example.docx
Now, even though we used the unzip command, we didn’t actually unzip the archive. The output provided by the -v option is derived from the ZIP local file headers, which contain a wealth of information on the compressed files. Of particular interest is the CRC-32 value.
A cyclic redundancy check (CRC) is an algorithm designed to detect errors or unintended changes to data. The idea is a system can calculate a CRC value before and after a transfer or transformation of data as a simple way to ensure its integrity. For ZIP archives, the CRC-32 values confirm the decompressed files are the same as they were prior to compression. Which is great and all, but they can serve other use cases too.
Detection
Forget about error-detection. A ZIP CRC-32 value is essentially a small hash of the uncompressed file, and what better way to identify a file than by its hash? While the chance of a collision for CRC-32 is significantly higher than other algorithms such as SHA-256 or even MD5, it can be paired with additional metadata like the file name (or extension) and size to reduce false positives.
Here’s a hex dump of the first local file header from the previous example (Figure 2):
Figure 2: Hex dump of the first local file header for example.docx
Using the CRC-32, uncompressed file size, and file name fields, a YARA rule for this entry can be written as follows:
rule content_types { meta: author = "Aaron Stephens <aaron.stephens@mandiant.com>" description = "Example OOXML rule."
strings: $crc = { 32 91 6f 57 } $name = "[Content_Types].xml" $size = { a5 05 00 00 }
condition: $size at @crc[1] + 8 and $name at @crc[1] + 16 }
NOTE: The numeric fields are stored in little-endian.
Examples
Advanced Practices uses this technique to find similar documents that contain the same embedded file over time. Here are a couple real-world examples:
Document: 397ba1d0601558dfe34cd5aafaedd18e File: 0dc39af4899f6aa0a8d29426aba59314 (word\media\image1.png) Groups: UNC1130, UNC1837, UNC1965
rule png_397ba1d0601558dfe34cd5aafaedd18e { meta: author = "Aaron Stephens <aaron.stephens@mandiant.com>" description = "PNG in OOXML document."
strings: $crc = {f8158b40} $ext = ".png" $ufs = {b42c0000}
condition: $ufs at @crc[1] + 8 and $ext at @crc[1] + uint16(@crc[1] + 12) + 16 - 4 }
This rule detects OOXML documents, which contain a specific PNG image seen in Figure 3.
Figure 3: PNG embedded in phishing documents
Figure 3 is found in several documents dropping LATEOP, and has been attributed to groups such as UNC1130, a North Korean state-sponsored threat actor.
Document: 252227b8701d45deb0cc6b0edad98836 File: 3bdfaf98d820a1d8536625b9efd3bb14 ([Content_Types].xml) Groups: FIN7
rule xml_252227b8701d45deb0cc6b0edad98836 { meta: author = "Aaron Stephens <aaron.stephens@mandiant.com>" description = "[Content_Types].xml in OOXML document."
strings: $crc = {8cf0d220} $name = "[Content_Types].xml" $ufs = {9b060000}
condition: $ufs at @crc[1] + 8 and $name at @crc[1] + 16 }
This rule detects a specific [Content_Types].xml file, which is shown (formatted) in Figure 4.
Figure 4: Formatted [Content_Types].xml file
This file maps different parts of the OOXML package to their content type. Given a unique enough combination of parts and types, the [Content_Types].xml file can be a great way to find similar OOXML documents. This particular example is found in multiple FIN7 GRIFFON samples.
Tooling
Last but not least, it’s time to introduce apooxml, a Python tool that can be used to quickly and easily generate YARA rules just like these. Here’s how it works:
➜ python3 apooxml.py -h usage: apooxml.py [-h] [-a AUTHOR] [-n NAME] [-o OUT] sample
Generate YARA rules for OOXML documents.
positional arguments: sample OOXML document to generate YARA rule from.
optional arguments: -h, --help show this help message and exit -a AUTHOR, --author AUTHOR YARA rule author. -n NAME, --name NAME YARA rule name. -o OUT, --out OUT YARA rule file name.
➜ python3 apooxml.py -o 'example.yara' 397ba1d0601558dfe34cd5aafaedd18e 1. [Content_Types].xml 1980-01-01 00:00:00 14506c9d 1613 2. _rels/.rels 1980-01-01 00:00:00 b71a911e 590 3. word/_rels/document.xml.rels 1980-01-01 00:00:00 ab5e83b7 1207 4. word/document.xml 1980-01-01 00:00:00 44c9bf93 2692 5. word/_rels/vbaProject.bin.rels 1980-01-01 00:00:00 ef601408 277 6. word/vbaProject.bin 1980-01-01 00:00:00 ab54dacf 10752 7. word/media/image1.png 1980-01-01 00:00:00 408b15f8 11444 8. word/theme/theme1.xml 1980-01-01 00:00:00 4276c88b 7088 9. word/settings.xml 1980-01-01 00:00:00 17044d98 2750 10. word/vbaData.xml 1980-01-01 00:00:00 9209afe1 1292 11. word/fontTable.xml 1980-01-01 00:00:00 37e3715b 960 12. word/stylesWithEffects.xml 1980-01-01 00:00:00 c883d0b1 16755 13. docProps/app.xml 1980-01-01 00:00:00 3cc6382c 982 14. word/webSettings.xml 1980-01-01 00:00:00 4e16a017 428 15. docProps/core.xml 1980-01-01 00:00:00 8cef183c 643 16. word/styles.xml 1980-01-01 00:00:00 1f9b9145 16002
Enter a number corresponding to the desired entry: 7
Wrote YARA rule to example.yara.
➜ cat example.yara rule ooxml_png_crc_397ba1d0601558dfe34cd5aafaedd18e { meta: author = "apooxml" description = "Generated by apooxml." reference_md5 = "397ba1d0601558dfe34cd5aafaedd18e"
strings: $crc = {f8158b40} $ext = ".png" $ufs = {b42c0000}
condition: $ufs at @crc[1] + 8 and $ext at @crc[1] + uint16(@crc[1] + 12) + 16 - 4 }
For more details, check out the repository on GitHub.