Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Internet Storm Center Internet Storm Center

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Malicious .DWG Files?

Published: 2019-12-16
Last Updated: 2019-12-16 01:21:51 UTC
by Didier Stevens (Version: 1)
1 comment(s)

This weekend, I took a look at AutoCAD drawing files (.dwg) with embedded VBA macros.

When a .dwg file contains VBA macros, a Compound File Binary Format file (what I like to call an OLE file) is embedded inside the .dwg file. This OLE file contains the VBA macros. It's similar to .docm files, except that a .dwg file is not a ZIP container. More details on the file format can be found in my blog post "Analyzing .DWG Files With Embedded VBA Macros", but knowing these details is not a prerequisite to be able to perform an analysis as I show here.

I combine my tools and to extract and analyze the embedded OLE file with macros:

This .dwg file that I was given contains indeed a VBA project, but it's an empty project, without actual code (remark indicator m for stream 3 and that stream 3 doesn't contain "real" VBA code, just the normal attributes).

I did some searching for .dwg files with real VBA code, and found the following sample:

This is clearly malicious: a CreateThread API declaration and a sequence of numbers (between 0-255). This is shellcode that is injected into the AutoCAD process.

I'm no longer an AutoCAD specialist (I used AutoCAD and AutoLISP a lot in the 90's), but as far as I know, subroutine names like Auto_Open, AutoOpen and Workbook_Open do not trigger automatic execution in AutoCAD. One needs to associate a subroutine with an AcadDocument event to trigger execution.

This drawing contains malicious code, but it will not execute automatically. This sample is probably a PoC or some kind of test.

The shellcode can be extracted and analyzed with and the shellcode emulator scdbg:

With this IOC, I found other maldocs using the same IP address.

Like this sample, with exactly the same VBA source code (ignoring whitespace). This malicious Office document  was submitted to VT one month earlier than the malicious AutoCAD drawing. And if we can trust the medata data of the Office document, then it's almost 2 years old.

This leads me to believe that this malicious AutoCAD drawing I found could well be an experiment.

My search was far from exaustive, but I did not find other examples of AutoCAD drawings with embedded, malicious VBA code (remark that VBA is not the only way the achieve RCE with AutoCAD).


Like Office, AutoCAD will warn users when a document with embedded macros is opened:

And even better: since AutoCAD 2016, VBA is no longer included. It is an optional install (separate download and manual installation):

So if you use AutoCAD in your organisation, know that drawings with embedded, malicious VBA code seem to be rare (caveat: my search was far from exhaustive), and that with modern versions of AutoCAD, VBA no longer comes pre-installed.



Didier Stevens
Senior handler
Microsoft MVP

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

VirusTotal Email Submissions
Dec 15th 2019
22 hours ago by DidierStevens (0 comments)

(Lazy) Sunday Maldoc Analysis: A Bit More ...
Dec 14th 2019
1 day ago by DidierStevens (0 comments)

Internet banking sites and their use of TLS... and SSLv3... and SSLv2?!
Dec 13th 2019
3 days ago by Jan (0 comments)

Code & Data Reuse in the Malware Ecosystem
Dec 12th 2019
4 days ago by Xme (0 comments)

German language malspam pushes yet another wave of Trickbot
Dec 11th 2019
5 days ago by Brad (0 comments)

Microsoft December 2019 Patch Tuesday
Dec 10th 2019
5 days ago by Renato (0 comments)

(Lazy) Sunday Maldoc Analysis
Dec 9th 2019
1 week ago by DidierStevens (0 comments)

View All Diaries →

Latest Discussions

"slow" half open tests (preparation for attacks?)
created Oct 28th 2019
1 month ago by Anonymous (0 replies)

Recommended Desktop Antivirus to use?
created Oct 21st 2019
1 month ago by Anonymous (0 replies)

Suspicious Domain Scoring
created Oct 4th 2019
2 months ago by Luke (1 reply)

SANS ISC InfoSec News RSS Feed broken?
created Aug 29th 2019
3 months ago by Adi (2 replies)

created Aug 14th 2019
4 months ago by Anonymous (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
5 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)

Detection Lab: Visibility & Introspection for Defenders
Dec 15th 2017
2 years ago by Russ McRee (0 comments)