Macros Analysis

OLE Office Documents

Object Linking & Embedding is a proprietary technology developed by Microsoft that allows embedding and linking to documents and other objects. If you ever run into files with extensions like XLS, XSLM, DOCX, DOCM, etc. These were created using OLE technology.

Zip Rename

Since Office files are essentially ZIP archives (PK magic bytes), you can give them .zip extensions and unzip them. Doing so deflates the archive and reveals the files that make up the malicious office document. One of the files is the document.xml which is where the main document body text goes and vbaProject.bin containing the evil macros themselves:

Template Injection and .docx vs .docm

Files with .docm extensions are macro enabled Office documents. This leads people to believe only .docm files are malicious. In reality, .docx files can be used to download a .docm Office template with malicious macros and execute them.

Navigate to _rels Directory

Open Settings with Text Editor

The target variable points to a place in C:\Users\USERNAME\Documents. This is where the template file is downloaded (or in this case the malicious .docm file).

Target Template

Executing Macros From a DOCX With Remote Template Injection

Reference

Inject Macros from a Remote Dotm TemplateRed Teaming Experiments

Reference