Adversaries may use Word 2007 XML documents in Flat OPC format to embed malicious payloads within Microsoft Office files, leveraging the format’s ability to hide malicious content. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential covert malware delivery vectors that evade traditional detection methods.
YARA Rule
rule Word_2007_XML_Flat_OPC : maldoc
{
meta:
author = "Martin Willing (https://evild3ad.com)"
description = "Detect Word 2007 XML Document in the Flat OPC format w/ embedded Microsoft Office 2007+ document"
date = "2018-04-29"
reference = "https://blogs.msdn.microsoft.com/ericwhite/2008/09/29/the-flat-opc-format/"
hash1 = "060c036ce059b465a05c42420efa07bf"
hash2 = "2af21d35bb909a0ac081c2399d0939b1"
hash3 = "72ffa688c228b0b833e69547885650fe"
filetype = "Office documents"
strings:
$xml = "<?xml" // XML declaration
$WordML = "<?mso-application progid=\"Word.Document\"?>" // XML processing instruction => A Windows OS with Microsoft Office installed will recognize the file as a MS Word document.
$OPC = "<pkg:package" // Open XML Package
$xmlns = "http://schemas.microsoft.com/office/2006/xmlPackage" // XML namespace => Microsoft Office 2007 XML Schema Reference
$binaryData = "<pkg:binaryData>0M8R4KGxGuE" // Binary Part (Microsoft Office 2007+ document encoded in a Base64 string, broken into lines of 76 characters) => D0 CF 11 E0 A1 B1 1A E1 (vbaProject.bin / DOCM)
$docm = "pkg:name=\"/word/vbaProject.bin\"" // Binary Object
condition:
$xml at 0 and $WordML and $OPC and $xmlns and $binaryData and $docm
}This YARA rule can be deployed in the following contexts:
This rule contains 6 string patterns in its detection logic.
Scenario: Scheduled Backup of Word Documents
Description: A backup job runs nightly and archives Word 2007 documents in OPC format.
Filter/Exclusion: Exclude files with the backup or archive directory in the file path, or filter by file creation time (e.g., files created within the last 24 hours).
Scenario: Microsoft Office Add-in Installation
Description: An admin installs an Office add-in that includes embedded Word documents in OPC format as part of the installation package.
Filter/Exclusion: Exclude files with the .msi, .exe, or .cab extensions, or filter by process name (e.g., msiexec.exe or setup.exe).
Scenario: User-Generated Reports in Word 2007 Format
Description: Users generate reports using Word 2007 and save them in OPC format, which may be uploaded to a shared drive or document management system.
Filter/Exclusion: Exclude files from user directories (e.g., C:\Users\*\Documents) or filter by file size (e.g., files under 1MB).
Scenario: Microsoft SharePoint Document Library Sync
Description: A SharePoint document library sync job transfers Word 2007 documents in OPC format to a local file server.
Filter/Exclusion: Exclude files with the SharePoint or Sync directory in the file path, or filter by file modification time (e.g., files modified within the last 1 hour).
Scenario: Microsoft Exchange Offline Address Book (OAB) Export
Description: An Exchange server exports an OAB file that includes embedded Word documents in OPC format.
Filter/Exclusion: Exclude files with the .oab extension or filter by process name (e.g., `