FotolEdhar - Fotolia


Embedded malware: How OLE objects can harbor threats

Nation-states have been carrying out attacks using RTF files with embedded malware. Expert Nick Lewis explains how OLE technology is used and how to protect your enterprise.

Defending against a nation-state attacker can require very different tactics than when defending against a common attacker. The resources a nation-state devotes to achieving its mission against a target can be significant. While a nation-state may use techniques similar to those used by common attackers, it also has the ability to create and drive advances in offensive security.

In this tip, we'll look at a recent nation-state attack against NATO members that used Object Linking and Embedding (OLE) technology and how enterprises can defend against it.

Recent attacks using OLE technology

Cisco Talos researchers blogged about a nation-state attack targeted against NATO members that used a malicious RTF file, and described the reconnaissance framework as resembling Matryoshka, or Russian nesting dolls due to the multiple layers of OLE objects with embedded malware. Talos didn't report how the malicious file can be sent to the target user, but it can easily be assumed that a phishing email containing the malicious attachment is the method used.

When the malicious file is opened in Microsoft Word, an error message about embedded content is displayed, asking the user if they would like to allow the content to play. If the end user doesn't allow the content to play, the attack stops. If the user allows the content to play, the malicious file moves onto the next step of the multistage attack. The embedded content is an OLE object that uses Adobe Flash to extract an encoded binary, which downloads an additional Flash file using Flash ActionScript.

The ActionScript posts the configuration details for Flash to identify if the system connecting to the malicious web server is a virtual machine or sandbox. If it is, the attacker can stop the attack to minimize the chance of detection. More files are downloaded and encoded using a variable set, and then the ActionScript executes the malicious code. Talos didn't report the action taken by the malicious code.

These steps are taken to make it more difficult to identify and analyze the embedded malware. Attackers have learned to use many different techniques to evade detection, including base64 encoding, packers, compression, encryption, downloaders, scripts, macros and external references. These techniques need to be properly reverse-engineered for analysis to confirm the attack and determine the specific steps the attackers have taken.

In this attack using OLE technology, it also looked like the attacker was monitoring to see if he was detected, as the external files referenced by one of the Flash objects was replaced with a new file designed to cause problems for analysis tools.

Enterprise defenses

The vulnerabilities identified in the embedded malware attacks using the Matryoshka Doll Reconnaissance Framework can be defended against with many of the security tools already in use in most enterprises, such as an advanced endpoint security agent, network security gateway, email security gateway, intrusion prevention system, or next-generation firewall and domain name server-based tools.

This attack points out the fragility of some security tools when faced with malicious files or actions. When evaluating security tools, enterprises should check to see what happens when the storage on the device fills up or if the network is overwhelmed.

These security tools are built on top of the protections that should be securely implemented and configured on the endpoints. Endpoint security has rapidly improved as security models have changed on the endpoint. Removing or not installing Flash can prevent attacks using OLE technology. Also, not using Word may provide some protection against embedded malware.

Enterprises that need to accept potentially malicious files from known and unknown sources may want to change the file types to prevent malicious code from getting to an endpoint. For example, a malicious Word file could be converted into a benign PDF. Functionality may be reduced, but the content can still be viewed.


Studying the tools and techniques of advanced attackers can help enterprises advance their information security programs and test the effectiveness of their security controls. Penetration testing and studying information security incidents have become common for enterprises to identify effective security controls. Enterprises must use advances in attack techniques as part of their risk assessment to prioritize implementing or replacing security controls. 

Next Steps

Learn about the different ways malware authors use OLE technology in their attacks

Find out how attackers used embedded documents to exploit a Microsoft flaw

Discover how malicious dynamic link library files can be used to attack Symantec products

This was last published in June 2017

Dig Deeper on Threats and vulnerabilities