Malicious Shapes In Office — Part 1

Abusing Shape Data To Store Commands To Execute In VBA

On July 1st, 2020 I discussed briefly on how InlineShape objects inside Microsoft Office could be used by VBA in order to conceal and execute commands or payloads.

For those of you new or less familiar to VBA Malware it is important to know that like many other scripting based malware it is essentially vulnerable to reverse engineering once samples have been obtained since the source code of the malware is entirely interpreted from the source.

However similarly to the HTML DOM object, Microsoft Office has objects that can be inserted into the document that can be manipulated and destroyed by the malware. If these objects carry information that are then interpreted and used by the source code of the malware, it can make reverse engineering the true nature of the malware itself extremely difficult.

This will be the first of several posts discussing the technical details of methods that abuse objects in order to prevent reverse engineering as well as providing both Red Teams and Blue Teams ways they can identify, create, mitigate and expand on this method.

Shapes and InlineShapes objects in Microsoft Office come in a few different variants. They are defined by the enum MsoShapeType.

This took absolutely way too long to generate and I should have just screen shot it

To be clear I am not the first person to look at Shape objects and wonder just how they could be used for malicious purposes. Abusing Shape and InlineShape data structures has been around for many years. However it appears that for the most part the use of Shapes in malware have been limited to 2 types of activity; storing script payloads and checking if they have ever been executed.

A few examples of VBA malware have used the msoTextBox (type 17) object to store malicious script files (namely VBS, JS, and PowerShell) for their payloads and inspecting these type of objects have become quite common place for AV and Sandbox systems.

This is simply done by literally writing the entire content of the malicious payload script file into a text box and then setting its visibility to false, size to 1x1 pixel or any other run of the mill methods to visibly hide the text box.

Using Shape Object to hide Script Payloads is still a viable tactic that seems to be forgotten in 2020.

A rarer but other implemented strategy was malware authors inserting a shape object with certain values in order to determine if a sample has ran. This is still a valid tactic however this has been generally dropped over the years in favor of Document.Variables.

I initially explored abusing these objects and found them relatively easy to implement as a way to store self-deleting self-interpreting VBA code. Another note is that we mean deleting interpreted code not at the P-Code level like how Evil Clippy & VBAStomper work. Both of those tools and research are very impressive and this is meant to be used in conjunction with those tools in order to incredibly complicate the jobs of Blue Teams, reverse engineers, AV, sandboxes and forensic analysts.

As an example of how to abuse Shapes in VBA this I have created the tool VBA-CmdShape.

This tool will insert a TextBox Shape object into a Office Word Document and store VBA commands to execute within this object. These values are stored in 3 properties of the TextBox Shape object in order to better obfuscate their usage. This object is then given a secret value in its Shadow properties to give it a unique ID so it can be later identified by the extraction code.

CreateTextBox() will create a malicious Command Shape with special properties and embed commands in it’s properties

The execution code will then enumerate all of the available shapes in the Office document, search for a shape with a secret key and then extract the embedded commands from the Command Shape. In the example I used a CallByName function that will use createobject Shell.Application to execute calc.exe.

ExecuteTextBoxCommands will find the CommandShape, execute the hidden commands, delete the shape and save the document.

I have left the exercise of the string encryption and decryption from the CmdShape as up to the user.

After execution since the shape is deleted this would provide difficulty for an analysis on this exact sample to occur. However the issue here is that since the malicious Shape object is stored inside the document, any copies (ie Email server storage) would still have the unexecuted copy and thus the ability to reverse engineer this sample.

In the next entry I will discuss how to abuse other Shapes from remote sources in order to prevent this misfortune of having a recovery copy available to the Blue Team.