{"id":44251,"date":"2015-07-07T16:24:32","date_gmt":"2015-07-07T23:24:32","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=44251"},"modified":"2025-06-06T01:57:23","modified_gmt":"2025-06-06T08:57:23","slug":"threat-actors-use-encrypted-office-binary-format-evade-detection","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/","title":{"rendered":"Threat Actors Use Encrypted Office Binary Format to Evade Detection"},"content":{"rendered":"<p><em>This blog post was written in conjunction with Xiaoning Li.<\/em><\/p>\n<p>Microsoft Office documents play an important role in our work and personal lives. In the last couple years, unfortunately, we have seen a number of exploits, especially some critical zero-day attacks, delivered as Office documents. Here are a couple of standouts:<\/p>\n<ul>\n<li>CVE-2014-4114\/6352, the &#8220;Sandworm&#8221; zero-day attack, reported in October 2014. McAfee Labs has provided in-depth <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/bypassing-microsofts-patch-sandworm-zero-day-root-cause\">root-cause analysis<\/a> about this vulnerability as well as Microsoft&#8217;s <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm\">initial failed patch<\/a>.<\/li>\n<li>CVE-2014-1761, a highly crafted zero-day attack spotted by Google in March 2014. Read <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/close-look-rtf-zero-day-attack-cve-2014-1761-shows-sophistication-attackers\">here<\/a> to understand why we conclude it\u2019s highly crafted.<\/li>\n<li>CVE-2013-3906, a zero-day vulnerability in Microsoft Graphics Component but delivered as an Office document. This zero-day attack was <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/mcafee-labs-detects-zero-day-exploit-targeting-microsoft-office-2\">detected and reported<\/a> by McAfee Labs in October 2013.<\/li>\n<li>CVE-2012-0158\/1856, two vulnerabilities in MSCOMCTL.OCX that are quite old, but they have been attackers\u2019 favorites for years. Exploits are still spotted in the wild.<\/li>\n<\/ul>\n<p>At McAfee Labs we are performing some leading research on Office security to drive innovations on exploit detection and protection. Recently, we have seen an increase in attacks leveraging the Sandworm vulnerability. Most important, the threat actors have introduced some interesting detection-evasion techniques, which we want to share with the security community.<\/p>\n<h2><strong>PPSX vs. PPS<\/strong><\/h2>\n<p>We have seen quite a number of Sandworm exploits (CVE-2014-4114) masquerading as .pps (PowerPoint Show) format rather than the current .ppsx format. The original Sandworm samples were packed as .ppsx, which uses the <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/aa338205(v=office.12).aspx\">Office Open XML Format<\/a>, a replacement of the older <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/office\/gg615407(v=office.14).aspx\">Office Binary Format.<\/a> The binary format is still supported by Office for compatibility. Because the Open XML Format is transparent and open, it is easy to parse and understand for third-party applications including security products. Thus most security vendors have no problem detecting CVE-2014-4114 exploits that use the Open XML Format.<\/p>\n<p>It&#8217;s a different story with .pps documents using the Office Binary Format. Even though Microsoft has released the <a href=\"https:\/\/msdn.microsoft.com\/en-us\/library\/office\/cc313106(v=office.14).aspx\">specification<\/a>, the format is not easy to understand. As a result, security products have difficulty detecting exploits that use this format. Of course, the bad guys have realized this, and they have started to deliver CVE-2014-4114 exploits in .pps rather than .ppsx format. One example is the spear phishing campaign reported few days ago by ThreatGeek. (We are tracking the campaign as well.) In this campaign, the exploits are repacked as .pps, which successfully avoids most\u00a0AV detections.<\/p>\n<h2><strong>Plain PPS vs. encrypted PPS<\/strong><\/h2>\n<p>Fortunately, even though the binary format is hard to parse, it is still a &#8220;plain&#8221; format, meaning that if there is a good signature with generic patterns, the malicious bytes won&#8217;t be able to hide. But the exploit writers are not content with only moving to .pps. At McAfee Labs we see that they are now encrypting their exploits to make them even harder to detect.<\/p>\n<p>Let&#8217;s take a look at what a normal .pps and an encrypted .pps look like by examining a sample we spotted in plain .pps. As we can see in the following image, the key bytes (the string \u201cpackage\u201d) can still be seen, which suggests the bytes are not encrypted.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-44253 \" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png\" alt=\"\" width=\"940\" height=\"474\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png 962w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format-300x151.png 300w\" sizes=\"auto, (max-width: 940px) 100vw, 940px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>And here is an encrypted .pps:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Encrypted_Binary_Format.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-44257\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Encrypted_Binary_Format.png\" alt=\"\" width=\"965\" height=\"481\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Encrypted_Binary_Format.png 965w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Encrypted_Binary_Format-300x150.png 300w\" sizes=\"auto, (max-width: 965px) 100vw, 965px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>In the encrypted version we can\u2019t find any malicious bytes at all.<\/p>\n<p>Let&#8217;s try open and edit the sample with PowerPoint. To avoid playing it, we first rename it to .ppt from .pps.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-44259\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Encrypted_Document_Requiring_Password.png\" alt=\"\" width=\"860\" height=\"734\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Encrypted_Document_Requiring_Password.png 967w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Encrypted_Document_Requiring_Password-300x256.png 300w\" sizes=\"auto, (max-width: 860px) 100vw, 860px\" \/><\/p>\n<p>The exploit authors have cleverly leveraged a feature in Office that allows an author to protect documents from viewing or editing. In this example, the author has encrypted the document with a password, allowing anyone to view but not edit. (When we open a .pps (PowerPoint Show) document, we are actually &#8220;viewing&#8221; it; that&#8217;s why the exploit works without a password prompt.) On the other hand, because the document can&#8217;t be edited, it prevents security products from analyzing the content, and also prevents researchers from statically analyzing the malicious sample.<\/p>\n<p>We have tracked threat campaigns with encrypted Office exploits for some time. Here is one older than the spear phishing example. This campaign, with MD5: 2E63ED1CDCEBAC556F78F16E8E872786, arrived with the filename \u201cAttachment Information\uff08English Version\uff09.pps\u201d and was first seen on VirusTotal on May 12. As of July 2, there was still no detection on VirusTotal due to the encryption.<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Encrypted_Office_Binary_Sample_VT_Detection2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-44298\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Encrypted_Office_Binary_Sample_VT_Detection2.png\" alt=\"\" width=\"728\" height=\"212\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Encrypted_Office_Binary_Sample_VT_Detection2.png 728w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Encrypted_Office_Binary_Sample_VT_Detection2-300x87.png 300w\" sizes=\"auto, (max-width: 728px) 100vw, 728px\" \/><\/a><\/p>\n<p><strong>Analyzing the malware in the encrypted exploit<\/strong><\/p>\n<p>In exploiting CVE-2014-4114, this malicious .pps sample dropped one <a href=\"https:\/\/www.mcafee.com\/en-us\/antivirus\/malware.html\">malware<\/a> into the temp directory and ran it as update.dat (9421D13AA5F3ECE0C790A7184B9B10B3).<\/p>\n<p>The file&#8217;s main function:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/malware1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-44265\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/malware1.png\" alt=\"\" width=\"1018\" height=\"566\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/malware1.png 1018w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/malware1-300x167.png 300w\" sizes=\"auto, (max-width: 1018px) 100vw, 1018px\" \/><\/a><\/p>\n<p>The main function performed several tasks:<\/p>\n<ul>\n<li>Decrypted the encrypted .exe file data into $AppData\\Roaming\\SearchCache.dll (97FE2A5733D33BDE1F93678B73B062AC)<\/li>\n<li>Ran a new rundll32.exe process to call the exported API_flushfile@16 in SearchCache.dll\u00a0(C:\\Windows\\system32\\rundll32.exe $AppData\\Roaming \\SearchCache.dll\u201d,_flushfile@16 $AppData\\Local\\Temp\\update.dat)<\/li>\n<\/ul>\n<p>In the exported API _flushfile@16, the code at first slept to avoid detection, and then deleted the original update.dat and created a new thread to perform other tasks.<span style=\"color: #000000; font-family: Calibri;\"><br \/>\n<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-44266\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/malware2.png\" alt=\"\" width=\"695\" height=\"138\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/malware2.png 695w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/malware2-300x60.png 300w\" sizes=\"auto, (max-width: 695px) 100vw, 695px\" \/><\/p>\n<p>The new thread connected to a control server, collected local system information, and sent the data to the control server. This thread also downloaded irmon32.dll and registered a service for it for future malicious actions. The detailed steps:<\/p>\n<p><a href=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/malware_analysis_list23.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-44311\" src=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/malware_analysis_list23.png\" alt=\"\" width=\"690\" height=\"730\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/malware_analysis_list23.png 690w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/malware_analysis_list23-284x300.png 284w\" sizes=\"auto, (max-width: 690px) 100vw, 690px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p><strong>Threat intelligence<\/strong><\/p>\n<p>To help our fellow defenders with their analyses, here are some of the sample hashes (MD5) related to these campaigns:<\/p>\n<p>0BC232549C86D9FA7E4500A801676F02<br \/>\n12F8354C83E9C9C7A785F53883C71CFC<br \/>\n142B50AEAEBE7ABEDA2EC3A05F6559B6<br \/>\n1E479D02DDE72B7BB9DD1335C587986B<br \/>\n209470139EE8760CA1921A234D967E40<br \/>\n2E63ED1CDCEBAC556F78F16E8E872786<br \/>\n3EA3435FC57CECB7AD53AEE0BBE3A31D<br \/>\n4AF0B2073B290E15961146E9714BD811<br \/>\n6360DDC19A858B0CE3DB7D1E07BC742F<br \/>\n710A39FA656981A81577D2EE31B46B18<br \/>\n719A7315449A3AE664291A7E0C124F0A<br \/>\n822F13D2A8AE52836BB94D537A1E3E3C<br \/>\n864EC7ED23523B0DC9C4B46DE3B852D1<br \/>\n8675174A45AABC8407C858D726ABB049<br \/>\n8A6A6ADCDE64420F0D53231AD7A6A927<br \/>\n96432AC95A743AC329DF0D51C724786F<br \/>\nAD2A5B0AF9B3188F42A5A29326CDDB0E<br \/>\nB4F788E76E60F91CF35880F5833C9D27<br \/>\nB86297F429FFBC8AFD67BDDD44CBB867<br \/>\nD57DF8C7BA9F2119660EA1BCE01D8F4A<br \/>\nE5BEF07992F88BCF91173B68AC3EA6BC<br \/>\nE7399EDE401DA1BACB3D2059A45F0763<\/p>\n<h2><strong>Conclusion and response<\/strong><\/h2>\n<p>These evasion tricks produce a real challenge for defenders. Although security is always a seesaw battle, we need to stay ahead of the bad guys. This case also highlights the fact that in today\u2019s computing environment, no single security product (whether network-, endpoint-, or sandbox-based) can stop all threats. For this type of\u00a0threat, our sandbox-based <a href=\"https:\/\/www.mcafee.com\/enterprise\/en-us\/products\/advanced-threat-defense.html\">Advanced Threat Defense<\/a> and <a href=\"https:\/\/www.mcafee.com\/enterprise\/en-us\/products\/host-ips-for-desktop.html\">Host Intrusion Prevention<\/a> are\u00a0ideal choices. (And if\u00a0you haven&#8217;t <a href=\"https:\/\/technet.microsoft.com\/library\/security\/ms14-064\">patched<\/a> the Sandworm vulnerability, you&#8217;d better get to it.) McAfee AntiVirus provides detections for the two campaigns we discussed, including both the \u201cplain\u201d and \u201cencrypted\u201d exploits.<\/p>\n<h2><strong>Furthermore<\/strong><\/h2>\n<p>Speaking of Office security, we will make a <a href=\"https:\/\/www.blackhat.com\/us-15\/briefings.html#attacking-interoperability-an-ole-edition\">presentation<\/a> at this year&#8217;s Black Hat USA 2015 security conference in Las Vegas in August. We will present some of our original, cutting-edge research on the important OLE feature in Office. We want to help the community understand the risk of Office OLE and better protect users from threat actors.<\/p>\n<p>&nbsp;<\/p>\n<p><em>Special thanks to Bing Sun and Stanley Zhu of\u00a0 McAfee for their valuable input.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This blog post was written in conjunction with Xiaoning Li. Microsoft Office documents play an important role in our work&#8230;<\/p>\n","protected":false},"author":610,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1411,3944,338,180],"coauthors":[2524],"class_list":["post-44251","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-advanced-persistent-threats","tag-antivirus","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Threat Actors Use Encrypted Office Binary Format to Evade Detection | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Attacks leveraging the Sandworm vulnerability now include some interesting detection-evasion techniques, specifically an old format and encryption.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Threat Actors Use Encrypted Office Binary Format to Evade Detection | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Attacks leveraging the Sandworm vulnerability now include some interesting detection-evasion techniques, specifically an old format and encryption.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2015-07-07T23:24:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-06T08:57:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png\" \/>\n\t<meta property=\"og:image:width\" content=\"962\" \/>\n\t<meta property=\"og:image:height\" content=\"485\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Haifei Li\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Haifei Li\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/\"},\"author\":{\"name\":\"Haifei Li\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/fd18845cc3f27ed398648df8cc802444\"},\"headline\":\"Threat Actors Use Encrypted Office Binary Format to Evade Detection\",\"datePublished\":\"2015-07-07T23:24:32+00:00\",\"dateModified\":\"2025-06-06T08:57:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/\"},\"wordCount\":1266,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png\",\"keywords\":[\"advanced persistent threats\",\"antivirus\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/\",\"name\":\"Threat Actors Use Encrypted Office Binary Format to Evade Detection | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png\",\"datePublished\":\"2015-07-07T23:24:32+00:00\",\"dateModified\":\"2025-06-06T08:57:23+00:00\",\"description\":\"Attacks leveraging the Sandworm vulnerability now include some interesting detection-evasion techniques, specifically an old format and encryption.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Threat Actors Use Encrypted Office Binary Format to Evade Detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/fd18845cc3f27ed398648df8cc802444\",\"name\":\"Haifei Li\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/88c52c07fcacd190468a32af554e5f36\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/49ae79ecae2f1bff04cb595e12d9cc72?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/49ae79ecae2f1bff04cb595e12d9cc72?s=96&d=mm&r=g\",\"caption\":\"Haifei Li\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/in\/haifeili\/\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/haifei-li\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Threat Actors Use Encrypted Office Binary Format to Evade Detection | McAfee Blog","description":"Attacks leveraging the Sandworm vulnerability now include some interesting detection-evasion techniques, specifically an old format and encryption.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Threat Actors Use Encrypted Office Binary Format to Evade Detection | McAfee Blog","og_description":"Attacks leveraging the Sandworm vulnerability now include some interesting detection-evasion techniques, specifically an old format and encryption.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2015-07-07T23:24:32+00:00","article_modified_time":"2025-06-06T08:57:23+00:00","og_image":[{"width":962,"height":485,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png","type":"image\/png"}],"author":"Haifei Li","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Haifei Li","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/"},"author":{"name":"Haifei Li","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/fd18845cc3f27ed398648df8cc802444"},"headline":"Threat Actors Use Encrypted Office Binary Format to Evade Detection","datePublished":"2015-07-07T23:24:32+00:00","dateModified":"2025-06-06T08:57:23+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/"},"wordCount":1266,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png","keywords":["advanced persistent threats","antivirus","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/","name":"Threat Actors Use Encrypted Office Binary Format to Evade Detection | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png","datePublished":"2015-07-07T23:24:32+00:00","dateModified":"2025-06-06T08:57:23+00:00","description":"Attacks leveraging the Sandworm vulnerability now include some interesting detection-evasion techniques, specifically an old format and encryption.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Sample_Plain_Binary_Format.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/threat-actors-use-encrypted-office-binary-format-evade-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Threat Actors Use Encrypted Office Binary Format to Evade Detection"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/fd18845cc3f27ed398648df8cc802444","name":"Haifei Li","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/88c52c07fcacd190468a32af554e5f36","url":"https:\/\/secure.gravatar.com\/avatar\/49ae79ecae2f1bff04cb595e12d9cc72?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/49ae79ecae2f1bff04cb595e12d9cc72?s=96&d=mm&r=g","caption":"Haifei Li"},"sameAs":["https:\/\/www.linkedin.com\/in\/haifeili\/"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/haifei-li\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/44251","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/610"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=44251"}],"version-history":[{"count":5,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/44251\/revisions"}],"predecessor-version":[{"id":215185,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/44251\/revisions\/215185"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=44251"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=44251"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=44251"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=44251"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}