Your Workplace Doc is at Danger | Techniques Tech

PROJECT NEWS  > News >  Your Workplace Doc is at Danger | Techniques Tech

nearly Your Workplace Doc is at Danger will lid the most recent and most present instruction on the order of the world. entry slowly suitably you comprehend with out issue and appropriately. will lump your information skillfully and reliably

Microsoft Workplace paperwork are used worldwide by each companies and residential customers. Its totally different workplace variations, whether or not licensed or unlicensed, supply customers a straightforward technique to create and modify information. Nonetheless, this software program can also be prone to cyberattacks.

Cyber ​​criminals typically make the most of their vulnerability and use VBA (Visible Fundamental Software) macros as entry factors to realize entry to focus on programs and gadgets.

Through the years, VBA macros have been a pervasive menace to Workplace paperwork with their potential to unfold malware. And that is why Microsoft lastly determined to dam VBA macros for information which have the ‘mark of the net’ (MOTW) tag. With this alteration, at any time when customers open a file downloaded from the Web, comparable to e mail attachments which have macros, the next message will likely be displayed:

Determine 1. Safety danger warning

In consequence, attackers are actually compelled to think about alternative routes to achieve their victims. And that is the place Microsoft plugins come into the image.

What are Microsoft Add-ons?

An add-on is a software program program that extends the capabilities of the principle applications. It’s a time period generally utilized by Microsoft and different platforms which have extra options that may be added to the principle applications. Workplace Add-ins are DLL information which have totally different extensions relying on the applying. Microsoft Excel and Phrase have plugins with the file extensions, ‘.xll’ and ‘.wll’ respectively.

For the phrase, the ‘.wll’ The add-in should be positioned in a selected location, specified by the HKCUSoftwareMicrosoftOffice16.0WordSecurityTrusted Areas registry worth, relying on the model of Workplace. This may be certain that ‘.wll’ the add-in runs by way of the Phrase software.

For Excel add-ins, so long as ‘.xll’ the file is uploaded, it would open with an Excel software.

Malicious XLL information

Many menace actors have began utilizing XLL information as their preliminary vector. These information are largely shared as an e mail attachment. It’s related to an icon much like one other Excel-compatible file, making it tough for finish customers to differentiate between the unique Excel file and an add-in file.

Determine 2. Malicious DLL with .XLL extension

When opening such information, Excel will show a warning concerning the malicious code it accommodates.

Fig.3. MS Workplace Warning for Plugin

It’s attainable for a “.dll” (dynamic hyperlink library) file to be renamed as a “.xll” (Excel Add-in) and is used for malicious functions. The distinction between a traditional DLL file and an XLL file is that XLLs can have sure exported features that will likely be referred to as by the Excel Add-in supervisor if activated by the Excel software. When Excel begins the XLL file, it would name the export features based mostly on the XLL interface outlined as xlAutoOpen and xlAutoClose much like the strategies auto_open and automobile closed in VBA macros. These features can be utilized to add malicious code and obtain the malware payload.

Technical evaluation:

It begins with a file referred to as “BankStatement-1674745402.xll”, which is a 64-bit DLL file. This file accommodates an export perform with the title “xlAutoOpen” as proven in determine 4.

Determine-4. DLL export perform

We have now run this DLL file explicitly utilizing “rundll32.exe” with the parameters,

“C:WindowsSysWOW64rundll32.exe C:UsersuserDesktop9009859256BankStatement-1674745402.xll, xlAutoOpen”.

In determine 5, we will see the execution circulation of the method.

Determine-5. Execution Course of Circulation

The export perform has code (proven in Determine 6) that makes use of the strcat perform to generate totally different strings which have hyperlinks and instructions for execution. The next perform creates a hyperlink “http[:]//160[.]119[.]253[.]36/” and take a look at connecting to this hyperlink to obtain the zip file and put it aside as a “”.

Determine-6. Code for hyperlink technology and connection

After this, PowerShell is used to unzip this zip file to %Temp% folder with beneath talked about command,

“powershell.exe Develop-Archive –Path “” -DestinationPath “C:UsersuserAppDataLocalTemp””

After unzipping we get “configuration_file_v17.3.4” named folder within the %Temp% folder that has the “Assets” folder and “configuration_file_v17.3.4.jpg” file inside.

Determine-7. configuration_file_v17.3.4 folder in Temp

The sources folder has a number of XML information that include dummy information. The attackers put that information on objective to make evaluation exhausting. He “configuration_file_v17.3.4.jpg” shouldn’t be a picture file format file. It’s nothing greater than a 32-bit PE file written in .NET language and appears like an installer for the Inno configuration module.

An Inno Setup is a well-liked free set up framework used to create installers for Home windows functions. It supplies a scripting language that enables builders to customise the set up course of, together with creating shortcuts, registry entries, and different system settings.

Determine-8. configuration_file_v17.3.4.jpg file info in Die device

This .NET file has 213 strategies (proven in Determine 9) which are closely obfuscated. We are able to de-obfuscate utilizing de4dot obfuscators To keep away from inverting a .NET software, the creator has applied a number of strategies to make it tougher for any researcher to grasp the code and logic of the applying.

Determine-9. “.NET Technique Rely”

This “configuration_file_v17.3.4.jpg” file executed utilizing beneath talked about command,

“cmd.exe /c begin C:UsersuserAppDataLocalTempfilesetup_v17.3.4filesetup_v17.3.4.jpg”

This file makes use of some anti-debugging strategies at first of execution that are talked about beneath,

1. OllyDbg is a well-liked debugging device that can be utilized to research and modify operating applications, together with .NET functions. One approach to detect and forestall debugging utilizing OllyDbg is to verify for the presence of a selected string related to the debugger.

Determine-10. OLLDBG Device Verify

2. Checking the debugger log, which is used to find out if a debugger is hooked up to the method and take acceptable motion if one is discovered.

Determine-11. Debugger log verify

3. The IsDebuggerPresent perform is used to detect if a debugger is hooked up to the method or not.

4. The CheckRemoteDebuggerPresent perform is used to detect whether or not a debugger is related to the present course of or a distant course of or not.

Determine-12. IsDebuggerPresent and CheckRemoteDebuggerPresent features

Racoon Stealer V2 is a kind of malware designed to steal confidential info from contaminated programs. It’s able to stealing varied kinds of information together with .ttf and .xml information and storing them on the contaminated system. Nonetheless, if the CNC (command and management) server is down, the malware could not have the ability to ship the stolen info to the server for exfiltration.

On this state of affairs, the stolen .ttf and .xml information can stay on the contaminated system till the CNC server turns into out there. This will probably expose delicate info to the attacker, since they will nonetheless entry the stolen information on the compromised system.

Quick Therapeutic Safety:

Fast Heal Safety Labs have been actively in search of most of these information to make sure that all Fast Heal prospects are protected with the next detections.

  • Downldr.XllfmAgent.S29349494
  • Downldr.XllDanot.S29357788
  • Trojan.GenericRl.S24740760
  • Trojan.RacoonStealerCiR


In conclusion, Microsoft plugins can current a possible menace vector for malware like Raccoon Stealer V2. These kinds of malware are designed to steal delicate info from contaminated programs and use Microsoft plug-ins as a method to ship the malware to focus on programs. To mitigate this danger, organizations ought to implement finest practices for endpoint safety, comparable to protecting software program updated, implementing strong antivirus and antimalware options, enabling firewalls and different community safety measures, and educating customers. on steps to establish and keep away from social engineering assaults. By taking these steps, organizations can considerably scale back the danger of malware assaults and information theft through Microsoft plug-ins and different potential assault vectors.





Malicious DLL file:









Malicious ZIP file:



Anjali Raut, Akshay Gaikwad