Davy Douhine 2 min

One year ago we found that using the Word 2003 XML format could by very usefull for pentesters/redteamers/attackers as a standard VBA meterpreter payload was scoring 1/57 on VT (instead of 20/57 using the Office OpenXML format). AV vendors made their homeworks, VT score is now 14/54

Anyway another very simple trick can help a lot: by embedding the exact same file (xmhell.xml) in a new word document and saving it as a Word 2003 XML again you’ve got a 0/54 on VT ! Oh yeah !

Image : vt_babushka

Update (2016-03-31):

2 months after submitting our payload on VT, the file still scores 0/56

It seems that AV don’t like russians dolls, even Kaspersky and yet it contains a straight meterpreter payload (without encoding) which is normally catched.

Ok, but pwning a victim by this trick is not so obvious:

  1. the victim has to open the babushka.xml file:

Image : word_babushka 2. then open the xmlhell.xml file that is embedded and then accept a first warning:

Image : enable_editing 3. and another one:

Image : enable_content

And then:

Image : meterpreter

But users are… users ! They will click and click again.

What about sandbox analysis ?

The excellent Payload Security VxStream sandbox [flags] (https://www.hybrid-analysis.com/sample/84ccff8e97cbb57c74615748d9c340d8cfe2363bf9b432b251013d5ad7f6909d?environmentId=1) our original xmhell file:

hybrid_xmhell

But not the babushka variant:

hybrid_babushka

What about a quick and dirty static analysis with olevba and oledump ?

Oledump catches VBA in xmhell.xml but we already knew that:

oledump_xmhell

Olevba works very well too:

olevba_xmhell

But that’s not the same story for babushka.xml:

olevba_babushka

oledump_babushka

That’s all for now, happy hunting and happy pwning !