1

Been given a .docx file to check whether it has a virus or something, ran McAfee and SuperAntiSpyware on it and results came back negative so I though it was good and proceeded to open it, just a file with some text, few .jpg and .png files and a little draw on there.

Out of curiosity uploaded it to VirusTotal and it says it's clean too but in the behaviour tab it seems like it opens a lot of files, write in some others and opens and sets some keys in the Windows Registry, overall on \Microsoft\Office...

Also says it runs this "...\Office15\WINWORD.EXE /Automation -Embedding, creates some mutexes (I don't know what that is)

Behaviour tag clams it calls wmi

I replaced the extension to .zip so I could see those .xml files in there and after reading through them all can't really tell they are good or no, they appear to be.

Is a .docx file capable of setting keys in the registry? I only noticed the search sidebar panel in Word was closed while it's usually out, I thought I must've closed it last time.

Maybe that site uses some virtualization and it causes that for some reason?

I restored the system with a image I got so that's fixed now but I'm curious because I usually just run the AV and go on with life just like that and I don't have a file without personal data to try.

If there is a possibility someone here knows better and have the time to check it out, please, I can upload it somewhere so that anyone can see them

Thanks in advance.

EDIT:

Just created another .docx file from LibreOffice with a table, some text and few pics on it and it just creates same amount of .xml files, they look pretty much the same so after uploading it to VirusTotal, this new file also have that behavior tab with same paths and tags as the one I was given in the first place.

I assume it's just the way it handles it or something but the file is clear.

Docfieguy
  • 11
  • 3

4 Answers4

1

A Microsoft Word file does not -usually- have the ability to modify you machine, especially at any administrative level. What you are seeing is probably the inner workings of Microsoft Word/Libre Office. As another example, MS Word creates a temporary hidden file in the same directory of the original whenever you open a document.

One exception to the innocuousness of doc/docx are what are called "macros". Macros can be malicious and there have been macro-viruses. It is not such a problem anymore, because macros are disabled by default for external documents and multiple Anti-Virus software block them too.

ARGYROU MINAS
  • 111
  • 1
  • 10
  • Also, Word (and hopefully compatible programs) will never execute macros in a .docx file, even if they're present. Macro-enabled documents use the .docm extension. Even then, Word will prompt you for confirmation if it thinks the file came from outside your machine (don't count on that protection though; as a general rule, never open docm that you aren't expecting, and treat it like running an EXE). – CBHacking Mar 03 '22 at 13:17
1

As a general rule, no, the file isn't doing any of that. It's being done by the program that processes the file - in this case, the Windows version of Microsoft Word, which still uses the amazingly archaic executable name of winword.exe - but Word would do those things for any file you open.

Some stuff (not a complete list) that Word does when you open a file:

  • Load a bunch of libraries (DLL files) that implement various functionality that Word doesn't always need, and therefore doesn't load except on demand. This shows up as a bunch of file reads.
  • Update the recently-used documents list (which is stored in the registry; that's probably the registry write you saw).
  • Create a temporary copy of the file, to which any changes are written (autosave) until and unless you explicitly save changes to the file, at which point the original is overwritten. This causes a file creation and file write actions (and later file deletion).
  • Extract resources (e.g. images, fonts, and any other embedded media) from the file (which is a structured ZIP archive) to a temporary directory, because you can't render content straight out of a ZIP file. This causes file creation and writing (and later deleting).

Now with all that said, it is possible for a Word document to be malicious.

  1. The easy way is for it to have one or more malicious macros. Office macros are written in a Turing-complete scripting language that is capable of arbitrary actions on the operating system; for all intents and purposes they are executable programs. However, Word should never execute macros from a .docx file - only .docm and maybe legacy .doc - and usually prompts you before doing so anyhow.
  2. The more complicated way for a Word doc to be malicious is for it to contain an exploit for a vulnerability in Word. Word supports a huge number of features across a very large number of file formats (the old binary .doc format, the Office Open XML format docx/docm format, Rich Text Format, Open Document Format, and a bunch of others, each usually having multiple incompatible versions), and as such its parser and renderer is extremely complicated code. A highly complicated file parser/renderer is a lot of attack surface in which to search for bugs, and Word is written in native code (C++) so bugs can lead to attacker-controlled memory corruption, which can lead to arbitrary code execution. In fact, since Word supports scripting - via the macro language VBA - you don't even necessarily need to use the usual sorts of memory corruption payloads (Return-Oriented Programming or similar) to achieve code execution; if you can put a bunch of VBA code into a file and then force Word to treat it as a macro (even if the file normally wouldn't run macros), then that's another way to run arbitrary code.

In this case, though, it sounds like the file itself is probably totally innocuous.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
0

It's difficult to tell without you sharing the actual registry keys, but Microsoft Office creates and modifies registry keys all of its own during normal operation, for example to record recently used files. So it may well be that what you are seeing is this behaviour of the Office program itself.

Tilman Schmidt
  • 871
  • 4
  • 7
0

The behaviour indicated by VirusTotal is the normal behaviour when Word processes a docx file:

  • the docx (which is a zip file) is uncompressed in a temp folder and that bunch of files is read.
  • the registry is read to get the user and system parameters
  • the (user) registry is updated to store the new file into the recent file liste
  • other temp files can be written to store the state of the editing session to be able to restore it in case of crash

It is indeed a good deal of work under the hood, but all the magical goodies of Word come at that price.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84