Combining file formats is one of many techniques attackers use in an attempt to evade detection. One such instance I’ve already written about where JavaScript files were embedded into Microsoft Word documents . This previous technique was amidst a long-running and still ongoing campaign of JavaScript malware, simply leveraging the same payload in a new container to throw off detection systems. Shortly after the writing of the previous blog post, Microsoft Word document-based malware (typically with macros rather than JavaScript) was on the rise. Once again the same principle has been leveraged, this time encapsulating the macro-containing Word malware into Adobe Acrobat files (PDFs).
JavaScript Malware Gets a New Look
Since at least December 2015, JavaScript has been a popular attack method for email malware. The most common distribution method was as a heavily obfuscated JavaScript file inside of a ZIP file and outbreaks of this sort peaked during spring and early summer of 2016. Recently this sort of attack has subsided greatly and older-style Microsoft Word documents (OLE-encoded) with macros have seemed to become the preferred delivery method of email-based malware.
Recently, however, some malware samples were brought to my attention that were quite unique and yet all-too-familiar upon analysis. They were the newer OOXML version of Microsoft Word documents (commonly seen with the docx file extension, as they were in this case). As this file type is basically a ZIP file containing various other files, including XML as the type suggests, it was easy to extract the files and take a look. To my surprise, no macros were present in the document. In fact, the only noteworthy files were two OLE-encoded files which are most commonly used for embedding content from a different Microsoft Office application, such as a chart from an Excel spreadsheet. Using a common tool for analyzing OLE files on the first and larger of the two files led to an interesting find: something very reminiscent of our old friend, JavaScript.