Threat Research

Hiding in the XML – InQuest

Securonix

The article examines how Office CustomXMLParts can secretly store and execute a payload, using a hex-encoded DLL embedded in XML and retrieved via VBA in documents. It shows how a YARA rule and code structure detect and decode the payload, and notes that such documents often drop IcedID malware when opened via email. #IcedID #StopMalvertisin

Keypoints

  • CustomXMLParts can store arbitrary data in an Office document to modify formatting or add functionality, creating a potential covert payload container.
  • The example stores a hex-encoded DLL inside custom-xml-content, retrieved through the CustomXMLParts interface.
  • A YARA rule targeting “custom-xml-content” and related strings is used to locate this pattern in decompressed Office documents.
  • The VBA code is invoked via Document_Open and proceeds to extract a hex string, convert it to bytes, and write a DLL to disk before execution.
  • The sample payload is run using rundll32, demonstrating a common proxy execution technique for Windows binaries.
  • The article notes that documents arriving by email often drop IcedID malware, with public IOCs and hashes circulated in Twitter threads and GitHub.

MITRE Techniques

  • [T1059.005] Visual Basic – The VBA in the document opens and calls functions, e.g. “Document_Open()” and “FoalhoodPretransmitGlomerulose()” to orchestrate the payload. Quote: “On “Document_Open()” it only calls 1 function. “FoalhoodPretransmitGlomerulose()””
  • [T1132.001] Data Encoding – The payload is hex-encoded and decoded to bytes for execution. Quote: “Dim PharmacalLimnology() As Byte ‘Extracted hex string to bytes”
  • [T1027] Obfuscated/Compressed Files and Information – The payload payload is hidden in the XML tag as a hex string. Quote: “Hex str inside xml tag.”
  • [T1218.011] Rundll32 – The final stage uses rundll32 to run the dropped DLL. Quote: “Shell “rundll32 ” + AnchorerCrawfishesRedditive + “,#1” ‘Run File’ “
  • [T1566.001] Phishing: Spearphishing Attachment – Documents arrive via email and can drop IcedID malware. Quote: “The documents come via email and usually end up dropping IcedID malware.”

Indicators of Compromise

  • [Hash] SHA256 – 7e06cdff2b667d8748bc8822ef11173cd7a66c5a52d2d2fbaf78c92a94c5f69c – sample file hash associated with the payload
  • [Domain] VIYb.pg – 132 hits, detected as a domain name in related artifacts
  • [File path] c:ProgramDataxxx.dll – referenced as a potential drop location for the DLL

Read more: https://inquest.net/blog/2022/10/03/hiding-xml

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint