Threat actors never stop retooling malicious payloads and improving the obfuscation tactics they use to disguise them. Staying ahead of this evolving threat landscape is the core of our mission at Cloudmersive.

In our latest Private Cloud Virus Scan API update, we’ve implemented enhanced detection for DOC and XLS (legacy Word and Excel) Macros, HTA threats, and VBA scripts. Understanding the danger these file types pose is an important step towards preventing devastating file-based cyberattacks. We've included some background information on each threat below.

Understanding DOC and XLS Macro Threats

Unlike their modern, Open Office XML (OOXML) file format equivalents – Word DOCX and Excel XLSX – legacy Word DOC and Excel XLS files are monolithic binary containers. That means ALL document components in DOC and XLS files – including text, formatting metadata, and embedded objects – are stored in a single structure. Relative to OOXML structure, which uses a series of compressed, human-readable XML files to store, cross-reference, and represent document content, this binary file structure is considered extremely opaque and consequently more difficult to investigate for threats.

Obfuscating malicious Macros (and other threats) is easier in DOC and XLS file structure than in OOXML. DOCX and XLSX files are designed such that they can’t store Macros directly (Macro-enabled versions of these files are stored as DOCM and XLSM respectively). Conversely, binary DOC and XLS files can carry Macros embedded directly within the file with no external indication that this is the case.

Accidental Macro execution is more likely in the legacy monolithic binary container format than it is in the modern OOXML. Rigorous investigation of DOC and XLS Macros is essential to avoid accidental Macro execution in legacy Office formats.

Understanding HTA Threats

HTML Application (HTA) files are a relatively uncommon file type, but their utility in Windows environments makes them an attractive attack vector. They can be used to build trusted, standalone applications on our desktop (with web-based UI), automate tasks via scripting, and develop interactive tools with local file access.

HTA files are executable, and they run with full system privileges via mshta.exe (which allows HTML, JavaScript, and VBScript to run outside of a web browser without security restrictions). Their full system access makes them a formidable threat. Threat actors can deliver malware and/or initiate remote code execution attacks via HTA files, and they can just as easily initiate phishing attacks by tricking people into launching obfuscated HTA files from emails or downloads.

It’s usually best to block mshta.exe via security policies to prevent HTA threats, but in scenarios where that’s impossible (i.e., mshta.exe is required for various apps and workflows), HTA files should be rigorously investigated for malicious content to avoid accidental execution.

Understanding VBS Script Threats

Like any script file, Visual Basic Script (VBS) files pose a direct, obvious threat and should be treated with the utmost caution. VBS files can be manipulated to initiate remote code execution attacks, modify files and registry settings, and execute harmful commands on our system. They can be embedded in email attachments, and they can be hidden within Office Macros or obfuscated with fake file extensions.

Detecting obfuscated VBS files is critical to avoid VBS-based attacks. Script files are commonly saved with phony extensions, and clever social engineering tactics can easily lead to accidental execution or download. Obfuscated script files must be rigorously validated against the presented extension to determine that they do not conform with the standards of the expected file type (e.g., a VBS file saved with a PDF extension will not pass a PDF content validation check).

Private Cloud Virus Scan API Threat Detection

The Private Cloud Virus Scan API offers 360-degree content protection with scanning policies for viruses, malware, and a host of content threats, including Macros, scripts, unsafe archives, executables, and more.

The Virus Scan API is continuously updated with the latest iterations of virus and malware signatures, and each content policy is continuously bolstered to account for new content threat iterations and obfuscation methods. It will defend against Macro, HTA, and VBS threats by investigating files “under the hood” for malicious code & rigorously validating file contents against the given file extension.

For further information and/or expert advice on blocking Macro, HTA, and VBS threats with Cloudmersive, please feel free to contact a member of our team.