Threat Research

Maldocs: Word and Excel’s Ageless Vigor

Checkpoint

Three legacy Office vulnerabilities (CVE-2017-11882, CVE-2017-0199, CVE-2018-0802) remain actively exploited in malicious Word/Excel documents to deliver prevalent payloads such as Agent Tesla and GuLoader, using techniques that evade automated detection. The campaigns use encrypted/password-protected files, obfuscated VBA and shellcode, peculiar URLs (including dotless IPs and embedded credentials), and large OLE objects to frustrate analysis and delay detection. #AgentTesla #GamaredonAPT

Keypoints

  • Three well-known Office CVEs (CVE-2017-11882, CVE-2017-0199, CVE-2018-0802) are still exploited in 2023 maldocs to achieve code execution in Word/Excel.
  • Maldocs commonly fetch secondary payloads (downloaders and stealers) from remote URLs; observed payloads include Agent Tesla, GuLoader, and Formbook.
  • Attackers use multiple evasive techniques: password-protected/encrypted Excel files, obfuscated VBA macros, junk-filled/encrypted shellcode, and very large OLE objects to hinder sandboxes and analysts.
  • Peculiar URL formats (username@digital_ip and dotless IPs) are used to obscure hosted payloads and avoid easy detection; some requests return loader executables (e.g., /abc/loader5.exe).
  • Distribution activity is short-lived (often under a week), and initial detection rates can be low, allowing maldocs to succeed before widespread signatures appear.
  • Typical lures include “Enable Editing” prompts, CV-like filenames, and topical document content to induce user interaction and execute exploits.

MITRE Techniques

  • [T1203] Exploitation for Client Execution – Exploits in Word/Excel (CVE-2017-11882, CVE-2017-0199, CVE-2018-0802) are used to trigger code execution from documents (‘…we focus on 3 old and well-known CVEs used in Microsoft Word and Microsoft Excel’).
  • [T1204] User Execution – Documents rely on social-engineering lures (e.g., “enable editing”) to get victims to perform actions that trigger the exploit (‘…necessity for the user to “enable editing”’).
  • [T1105] Ingress Tool Transfer – Malicious documents download secondary payloads from remote servers (e.g., loader5.exe) after exploitation (‘…tries to download a payload from the server’).
  • [T1027] Obfuscated Files or Information – VBA macros and shellcode are obfuscated and padded with junk to hinder static and automated analysis (‘…obfuscated VBA macro’ / ‘junk and encrypted instructions inside the shellcode’).
  • [T1140] Deobfuscate/Decode Files or Information – Encrypted blocks inside shellcode are decrypted at runtime before execution (‘…key part of the code is encrypted and decrypted inside the shellcode itself’).
  • [T1566] Phishing – Campaigns use targeted lures, topical document names, and leaked-email themes to increase click-through and document opening rates (‘…lure topics to trick the users into opening the document’).

Indicators of Compromise

  • [File Hash] maldoc/sample hashes – 0fd5e881a9ed54f69c35f9db17c4ea12fc7c10500b339a7fa11a695b4019954c (Agent Tesla sample), aac88dbc105d5dcc83b431181c093c752ab9189dcc47576f8e0d961eb3c0c044 (GuLoader), and 10+ other hashes.
  • [File Hash] lure/document examples – 5cd806c0a528ca7ea6b3e2139c4c4165992d22610c50b0fecd47e08720835b4a (robertozx.doc), 59943c6c6f823b9fed47873c27db84710fd7b639698eca736af1b901c0f002b1 (Calvin-Ellis-CV.docx).
  • [IP Address / URL] payload host – 107.172.73.137 serving http://107.172.73.137/abc/loader5.exe (observed loader URL).
  • [File Name] document lures – facility_Request_Order.docx, INDIAN_STATE_SPONSOR_OF_TERRORISM__DESTABILIZATION_IN_PAKISTAN.docx (used as social-engineering lures to prompt enabling editing).

Researchers observed three legacy Office exploits (CVE-2017-11882, CVE-2017-0199, CVE-2018-0802) still used to achieve client-side code execution in Word/Excel documents. The exploitation chain commonly uses a user-interaction step (e.g., “Enable Editing”) to trigger embedded payload retrieval, followed by an ingress tool transfer where the document or embedded shellcode fetches a downloader or final payload (examples include loader5.exe served from 107.172.73.137). These stages are often obfuscated: attackers embed encrypted blocks that are decrypted at runtime inside shellcode, use junk and spaghetti jumps to confuse disassemblers, and hide code within very large OLE objects to overwhelm automated extraction tools.

To evade detection and analysis, maldocs employ multiple layered techniques: password-protected/encrypted Excel containers (noting legacy behavior such as the VelvetSweatshop auto-open artifact), peculiar URL formats including credentials before an @ sign and dotless numeric IPs, and heavily obfuscated VBA macros that require manual deobfuscation or specialized tools. The combination of short, intense distribution windows (often under a week), low initial detection rates for some samples, and varied delivery formats (DOCX, XLSX, RTF) enables seasoned threat actors to deliver established payloads like Agent Tesla, GuLoader, and Formbook despite these vulnerabilities being years old.

Practical analysis tips drawn from observed samples: unzip Office files and inspect internal parts rather than relying solely on extractor tools for huge OLE objects; search embedded “Equation Native” objects and OLE streams for command strings; apply dynamic tracing to capture plaintext passwords or decrypted payloads at runtime; and parse unusual URLs (username@digital_ip or dotless IPs) by converting numeric IPs to dotted notation when investigating network indicators. These focused procedures improve the ability to recover payload URLs, decode runtime-decrypted shells, and attribute samples more quickly during incident response.

Read more: https://research.checkpoint.com/2024/maldocs-of-word-and-excel-vigor-of-the-ages/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint