Throughout course of my monitoring future and possible targeted attacks, I recently chanced upon a spear-phishing email sent to an undisclosed recipient that contains three seemingly harmless documents. I was curious about the attached documents so I first checked the one titled AlSajana Youth Center financial Report.docx. The so-called financial report turned out to be a non-malicious document (see Figure 1) but the other two attached files struck me as suspicious as well. Their file names were u0627u0644u0645u0639u062Fu064429u0.docx and u0625u0646u062Cu0644u064Au0632u0649.doc.

Figure 1. Sample of the non-malicious .DOCX file with the file name AlSajana Youth Center financial Report.docx

Figure 2. Attached files named u0627u0644u0645u0639u062Fu064429u0.docx and u0625u0646u062Cu0644u064Au0632u0649.doc

(click to enlarge image)

True enough, when we opened the documents, we found suspicious connections to the URL hxxp://www.islamonaa.com/vb/uploaded/24b38bcf42.gif, which we found running in the background. These malicious documents are both detected as TROJ_MDLINK.A. The domain islamonaa.com is for sale, but it has suspicious redirections before landing to a normal Facebook link https://www.facebook.com/r.php. The domain islamonaa.com has since been listed as a suspicious site according to our source and we now block this domain under the classification “Disease Vector”.

Making use of legitimate functions in Microsoft Word

After checking, we found that the legitimate process winword.exe triggered these suspicious connections. We then checked if the document had an embedded macro that connects to the malicious URL. To our surprise, we found none. Next, we checked the Microsoft Word document for vulnerability exploitations–still nothing. At this point, we were curious to know what made winword.exe connect to the URL.

We noticed that both documents contained text and other objects such as an image file. Curious about the image inserted in the document, I immediately checked for inserted hyperlinks in the image. And yet again, we found none. After some more digging into this seemingly normal file, we found out that there are three ways to insert an image in Microsoft Word and other software under Microsoft Office for that matter:

Insert – embed the image in the document. Link to File – links the image to a file (a local file or a file in the web). If the link is inaccessible or unloadable, it puts a placeholder for an image that cannot be displayed. Insert and Link – a combination of Insert and Link to File. This feature is used so that when the link is inaccessible or cannot be loaded, it would still display the image.

Apparently, the insert and link feature was used to insert the image in the suspicious-looking document. I was finally getting somewhere. If it weren’t for the suspicious connection, we wouldn’t have flagged these documents as malicious (no macro, no exploits, no other sign of being malicious). So how did the attackers craft these documents? There are two possible ways to do this. Use the insert and link feature of Microsoft Office with a link to the image that you want to embed. Save the document. Then opt to do the following: Replace the content of the link with something else or change the link within the file (even with little knowledge of the document file structure).

Figure 3. Microsoft Word enables you to update or modify the links in the document

Figure 4. Winword.exe runs the malicious URL

Both methods are very simple to do and they both use a legitimate feature of Microsoft Office. We find this new technique very interesting because of its simplicity and the way it evades detection.

Should I be worried about this type of attack?

Yes and no. Unfortunately, file-based detections prove to be futile in staying protected against this type of attack since there is nothing malicious per se in the file such using exploits and malicious macros. This feature cannot be disabled and is in Microsoft Word and is enabled by default in other Microsoft Office applications. It does not display itself as a hyperlink either, so users will most likely be caught unaware that the malicious URL is already running in the background–all you need to do is open the document.

Theoretically, cybercriminals may also abuse the “insert and link” feature in Microsoft to point to downloading malicious files via social engineering techniques. However, it’s highly unlikely that the file download would be successfully carried out unnoticed because it would require the user to eventually execute the file. Adding a malicious script in the “insert and link” feature seems like a more logical move.

Best practices and countermeasures

Microsoft already has a feature to enable security alerts about links to suspicious websites, but this is may not be enough to protect users as it only works for sites that were previously flagged as suspicious. The security alerts won’t work for new websites being used by attackers. It’s best to take a proactive approach in defending against this type of attack. Always check if the email sender is from a trustworthy source, i.e., from friends, coworkers, or other legitimate sources. Here’s how to check for links to files in different versions of Microsoft Office:

For Microsoft Office 2003:

Select Edit > Links.

For Microsoft Office 2007:

Select Office button > Prepare.

Click Edit Links to Files.

For Microsoft Office 2010:

Select File > Info.

On the right-hand side, under Related Documents, click Edit Links to Files.

Because this is a legitimate feature in Microsoft Office, malicious URL blocking and network discovery are our best bets to combat attacks that may possibly utilize this technique.

This potential attack scenario highlights the importance of a multilayer approach to protection provided by the Trend Micro™ Smart Protection Network™, which can block all related malicious files, URLs, and emails. In this case, even if the file may be non-malicious, we are able to block it with Web Reputation Services due to the malicious nature of the URL linked via the ‘insert and link’ feature. Users can also visit the Trend Micro™ Site Safety Center to check whether a URL is malicious or not. Related hashes:

175f992f3a8241198b1171032606d620e07b27d9

a3f73a71a75787a8a2c586fd210d69ecfadcf61b

With additional insights by Maydalene Salvador and Karla Agregado