Since at least December 2015, JavaScript has been a popular attack method for email malware. The most common distribution method was as a heavily obfuscated JavaScript file inside of a ZIP file and outbreaks of this sort peaked during spring and early summer of 2016. Recently this sort of attack has subsided greatly and older-style Microsoft Word documents (OLE-encoded) with macros have seemed to become the preferred delivery method of email-based malware.
Recently, however, some malware samples were brought to my attention that were quite unique and yet all-too-familiar upon analysis. They were the newer OOXML version of Microsoft Word documents (commonly seen with the docx file extension, as they were in this case). As this file type is basically a ZIP file containing various other files, including XML as the type suggests, it was easy to extract the files and take a look. To my surprise, no macros were present in the document. In fact, the only noteworthy files were two OLE-encoded files which are most commonly used for embedding content from a different Microsoft Office application, such as a chart from an Excel spreadsheet. Using a common tool for analyzing OLE files on the first and larger of the two files led to an interesting find: something very reminiscent of our old friend, JavaScript.





Fortunately for Barracuda Essentials for Email Security and Barracuda Essentials for Office 365 users, Barracuda’s Advanced Threat Detection is able to detect this threat, which may become a widely used attack in the near future given its potential for evading detection. While using social engineering to get users to execute malware is always a gamble on the author’s part, in the case of email, just getting the file onto a user’s computer is likely enough to greatly increase the odds that they will also execute it. Additionally, many macro-based malware already count on this by requiring user action to run the macro in exchange for decreased detection by antivirus solutions looking for auto-executing macros.
Jonathan Tanner is a Software Engineer in our Campbell office. Connect with him on LinkedIn here.
Jonathan is a Senior Security Researcher at Barracuda Networks. Connect with him on LinkedIn here.