Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Malicious XSL Files SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Malicious XSL Files

In yesterday's diary entry "A 'Stream O' Maldoc", the payload was an XSL/XSLT file.

Now, malicious XSL files will not execute just by double-clicking them. On a default Windows install, Internet Explorer will be lanched to display the content of the file as XML:

But in this case, the malicious Word document contains VBA code that will launch a WMIC query with the XSL file as stylesheet:

This results in the execution of the code inside the XSL file, as discovered and reported by subTee/Casey Smith last year.

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

398 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!