Malicious Word doc uses ActiveX to infect
A malicious Word doc was recently shared with us that used just about every trick in the book to infect a machine yet initially had zero detections on VirusTotal. At the time of this blog post, detections had improved somewhat to a less-than-impressive 2/55:
Likewise, the file was unknown on Metadefender, submitting it for analysis showed no engines detecting at as a threat.
As usual, the infection chain starts with a bit of social engineering (in this particular example the doc was sent in a spearphish to a business operation team of the intended victim). Assuming the content of the original email was successful in prompting the user to trust and open the doc, the user was then prompted to ‘enable content’:
At that point of course things went to hell in a handbasket.
Enabling content in a Word document is another way of saying, ‘please infect my machine’.
We’ll skip all the details of the analysis in this post in the interest of time and brevity, suffice to say that the analysis set off a whole bunch of alarms in the VTI engine:
Most prominently, note the extensive use of COM, which in this case is used amongst other things as part of an ActiveX control. Next, Powershell was invoked. You can read more about malware using COM here and Powershell malware here. We’ve posted the entire analyses here for the full details.