Have you been looking for a Mac OS X dictionary, that can translate any word from any language, for. In today's world, everything is digital. Switching from a Mac or Windows computer to Chromebook is easier than ever. Transfer your stuff to a new Chromebook with this quick tutorial. 32 synonyms of witch from the Merriam-Webster Thesaurus, plus 61 related words, definitions, and antonyms. Find another word for witch. Witch: a woman believed to have often harmful supernatural powers. Synonyms: enchantress, hag, hex Find the right word.
On March 16, FortiGuard Labs captured a new Word file that spreads malware by executing malicious VBA (Visual Basic for Applications) code. The sample targeted both Apple Mac OS X and Microsoft Windows systems. We then analyzed the sample, and in this blog we are going to explain how it works, step by step.
When the Word file is opened, it shows notifies victims to enable the Macro security option, which allows the malicious VBA code to be executed.
Figure 1. Asks victim to enable Macro security option
Once the malicious VBA code is executed, the AutoOpen() function is automatically called. The first thing it does is read the data from the “Comments” property of the Word file.
Figure 2. The property “Comment” of the Word file
The value of the “Comments” is base64 encoded, which can be read out and decoded by the VBA code below:
After it’s base64-decoded, we can capture the code in plaintext, which is python script, as shown below.
Next, it takes a different route depending on the OS type, Apple Mac OS X or Microsoft Windows, that it is running on. You can see this in the the flow chart in Figure 3.
Figure 3. Calling different route according to OS type
We have found that this malicious VBA code uses slightly modified code taken from a metasploit framework which you can find at hxxps://github.com/rapid7/metasploit-framework/blob/master/external/source/exploits/office_word_macro/macro.vba
As you probably know, Mac OS X comes with Python pre-installed by Apple. This allows it to execute python scripts by default. As you can see above, the base64-decoded python script is passed to the ExecuteForOSX function that is going to execute it at the bottom of the function (see Figure 3).
The python script is easy to understand. It extracts the code from a base64-encoded string, and then executes it. It is decoded below, and as you can see, it is a very clear python script.
When the python script is executed, it downloads a file from “hxxps://sushi.vvlxpress.com:443/HA1QE”, and executes it. The downloaded python script is a slightly modified version of the Python meterpreter file, which is also part of the Metasploit framework. The source code of the project can be downloaded from the following URL: hxxps://github.com/rapid7/metasploit-payloads/blob/master/python/meterpreter/meterpreter.py.
The major changes between the downloaded file (HA1QE) and the original file are the following:
Figure 4. Differences between HA1QE and meterpreter.py
The HTTP_CONNECTION_URL constant (hxxps://sushi.vvlxpress.com:443/TtxCTzF1Q2gqND8gcvg-cwGEk5tPhorXkzS0gXv9-zFqsvVHxi-1804lm2zGUE31cs/) is set to the Metasploit end-point that the script will be connecting to.
The PAYLOAD_UUID constant is used as an identifier for the client, which we believe is also being used by the attackers for campaign-tracking purposes.
Once the script is executed, it attempts to connect to the host “sushi.vvlxpress.com” on port 443. But at the time the request was made during our analysis, the listener (server) was not answering client requests.
Figure 5. Wireshark showing TCP retransmission error while connecting to the server
The python process remains active on the system while trying to connect to a reachable server.
Figure 6. Python script attempting connection to listener
Although the argument of the ExecuteForWindows function is as same as the ExecuteForOSX function, it does not use it. What it does instead is making a DOS-style command string starting with cmd.exe. When it is executed, powershell.exe is started without window (-w hidden), and it executes the base64-encoded code (-e base64-encoded code.) For more details, see the following screenshot.
Figure 7. Dos-style command
It’s base64 again. This malware’s author likes using base64 to encode the sensitive code. We will see more base64 encoded data in the rest of the analysis.
Decoding the base64-encoded data, we get the following powershell script:
The main job of the above powershell script is to decompress a piece of gzip data, which is in base64-encoded code, to get another powershell script (by calling FromBase64String() and GzipStream()) and execute it (by calling Start($s)).
Next, let’s move on to see the decompressed powershell code. To improve understanding, I modified some of the function and variable names.
Here is the code snippet:
From the above powershell code we can see that it first decodes the base64-encoded data. In fact, it is 64-bit binary code that is going to be executed later. Then, it allocates a buffer in the current process (powershell.exe) and copies the 64-bit code into the buffer by calling the VirtualAlloc and Copy functions. Finally, it calls the CreateThread function, whose thread function points to the new buffer. That means that the 64 bit code is the thread function and is executed. Based on our analysis, this malware only affects 64-bit Windows.
Figure 8. 64-bit ASM code
We analyzed the 64-bit code in IDA Pro, as shown in the above screenshot. Once it starts, it downloads a file from “hxxps://pizza.vvlxpress.com:443/kH-G5” into a newly allocated buffer. The downloaded file is actually a 64-bit DLL file. Before the thread function finishes, its stack return address is set to the newly allocated buffer that holds the downloaded 64-bit DLL. That means that the 64-bit DLL gets executed when the thread function is returned.
Next, we see that the DLL can communicate with its server, such as “hxxps:// pizza.vvlxpress.com:443/5MTb8oL0ZTfWeNd6jrRhOA1uf-yhSGVG-wS4aJuLawN7dWsXayutfdgjFmFG9zbExdluaHaLvLjjeB02jkts1pq2bR/”. We can see it in the debugger, as shown below.
Figure 9. Communication with its server
At this point, we are still working on analyzing the downloaded DLL and trying to gather more information from it. We’ll share more details about this malware later as we uncover more interesting details.
The original Word sample file has been detected as “WM/Agent.7F67!tr” by FortiGuard AntiVirus service.
URL:
hxxps://sushi.vvlxpress.com:443/HA1QE
hxxps://pizza.vvlxpress.com:443/kH-G5
hxxps://pizza.vvlxpress.com:443/5MTb8oL0ZTfWeNd6jrRhOA1uf-yhSGVG-wS4aJuLawN7dWsXayutfdgjFmFG9zbExdluaHaLvLjjeB02jkts1pq2bR/
hxxps://sushi.vvlxpress.com:443/TtxCTzF1Q2gqND8gcvg-cwGEk5tPhorXkzS0gXv9-zFqsvVHxi-1804lm2zGUE31cs/
Sample SHA256:
Sample.doc 06A134A63CCAE0F5654C15601D818EF44FBA578D0FDF325CADFA9B089CF48A74
HA1QE.py 3A0924D55FB3BF3C5F40ADCE0BD281D75E62D0A52D8ADFA05F2084BA37D212C8
kH-G5.dll C36021A2D80077C2118628ED6DB330FEF57D76810FF447EF80D2AB35B95099BC
Sign up for weekly Fortinet FortiGuard Labs Threat Intelligence Briefs and stay on top of the newest emerging threats.
Home > Microsoft Corporation
File extension list filtered by software name
Found 45 file extension associations related to Microsoft Word for Mac and 33 file formats developed specifically for use with Microsoft Word for Mac.
Platform, operating system:Apple macOS / Mac OS X
Go to: Microsoft Word for Mac description
Developer:Microsoft Corporation
Microsoft software list & details
Bookmark & share this page with others:
Developer / company:Microsoft
Word for Mac helps you structure your ideas, market your business, and create everything from a murder mystery to a holiday newsletter, with style. Then save, edit, and share online.
Create visually rich newsletters, brochures, and documents easily. A powerful user interface gives users the ability to easily manipulate the layering of text, shapes, pictures, SmartArt, and charts in a document. Word also features new ligatures for more professional-looking documents, and new typography features for more creative document options.
Instantly see the Styles applied in your document, enabling great-looking documents with consistent, recurring formatting. And with the introduction of Styles Visual Aids in Word, there are now color-coded visual aids that reinforce the relationship between Styles and in?document content, while also providing one?click checking for potential formatting errors. Styles are easier to use and more reliable than ever.
Maximize the space for reading and writing documents. The Full Screen View feature enables a Word user to block out all other windows, menus, palettes, and other superfluous content on the screen, to be able to completely focus on the task at hand: either reading or editing a Word document.
Reorder Objects enables you to easily rearrange layers of text, photos, and graphics throughout your documents. This new functionality allows users to intuitively and directly manipulate the layers to achieve more predictable results, without cumbersome clicking and dragging.
Post, access, edit, and share your files from virtually anywhere. Word is now integrated with Windows Live SkyDrive, so that your documents can be stored, viewed, edited, and shared in the cloud from any computer with Internet access. Supported browsers include Internet Explorer on Windows, Safari on Mac or Windows, and Firefox on Mac or Windows.
Word for Mac enables several collaborators to simultaneously edit the same document from different computers in different locations. During a coauthoring session, users can see when updates occur, be informed of presence of the other collaborators, block other authors from making changes to sections they are working on, and work around conflicting changes.
Microsoft Word for Mac icon
size: 128px x 128px (.png with transparency)
Extract pictures from Word - Exporting images from MS Word .doc and .docx files.
How to extract images from Office documents - How to gain picture images from docx, xlsx, ppsx files.
How to convert PDF to Word - Creating Microsoft Word documents from PDF source.
Note: You can click on any file extension link from the list below, to view its detailed information. The list of extensions used or otherwise associated with the application may not be complete, because many common file extensions on our website, such as jpg (pictures) or txt (text files), can be opened by a large number of applications, or are too general file format. However most, if not all directly associated file extensions should be listed with its appropriate program. Although its likely, that some file extensions may be missing from the list of associated file extensions with the application, yet they can be opened, be part of, or otherwise be associated with the program.
.doc file extension is used for Microsoft Word document (prior version 2007)
.docm file extension is used for Microsoft Word Open XML macro-enabled document
.docx file extension is used for Microsoft Word Open XML document
.dot file extension is used for Microsoft Word document template (up to Microsoft Word 2003 version)
.dotm file extension is used for Microsoft Word Open XML macro-enabled document template
.dotx file extension is used for Microsoft Word XML document template
.bina.dfv.dochtml.dothtml.dox.flt.hmhd.mcw.mswd.s6bn.s8bn.sik.svs.w6w.wbk.wdcd.wdgp.wdic.wdll.wdx9.whlp.word.wprd.wset.wtbn.wtmp._docx
.doc.docm.docx.dot.dotm.dotx.htm.html.pdf.thmx
.asd.crtx.edrwx.eprtx.pip.rtf_.sdbn.txtrpt
This table might not contain all possible associated or supported file types or may contain incorrect data.
If you need more information please contact the developers of Microsoft Word for Mac (Microsoft Corporation), or check out their product website.
File type Action | Open | Save | Edit | View | Play | Convert | Create | Record | Import | Export | Burn | Extract | Recover | Backup | Settings | Other | |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Yes | - | - | - | - | - | - | - | - | - | - | - | Yes | Yes | - | - | - | |
Yes | Yes | Yes | - | - | - | Yes | - | - | - | - | - | - | - | Yes | - | Yes | |
- | - | - | - | - | - | - | - | Yes | - | - | - | - | - | - | - | - | |
Yes | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | Yes | |
Yes | Yes | Yes | - | - | Yes | Yes | - | - | - | - | - | - | - | Yes | - | - | |
Yes | Yes | Yes | - | - | - | Yes | - | - | - | - | - | - | - | Yes | - | Yes | |
Yes | Yes | Yes | - | - | Yes | Yes | - | - | - | - | - | - | - | Yes | - | - | |
Yes | Yes | Yes | - | - | Yes | Yes | - | - | - | - | - | - | - | Yes | - | - | |
Yes | Yes | Yes | - | - | Yes | Yes | - | - | - | - | - | - | - | Yes | - | - | |
Yes | Yes | Yes | - | - | - | Yes | - | - | - | - | - | - | - | Yes | - | - | |
Yes | Yes | Yes | - | - | Yes | Yes | - | - | - | - | - | - | - | Yes | - | - | |
Yes | Yes | Yes | - | - | Yes | Yes | - | - | - | - | - | - | - | Yes | - | - | |
Yes | Yes | Yes | - | - | - | - | - | - | - | - | - | - | - | - | - | - | |
- | - | - | - | - | - | - | - | - | Yes | - | - | - | - | - | - | - | |
- | - | - | - | - | - | Yes | - | - | - | - | - | - | - | - | - | - | |
- | - | - | - | - | - | - | - | - | - | - | - | - | - | - | Yes | Yes | |
- | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | Yes | |
- | - | - | - | - | - | - | - | Yes | Yes | - | - | - | - | - | - | - | |
- | - | - | - | - | - | - | - | Yes | Yes | - | - | - | - | - | - | - | |
Yes | Yes | Yes | - | - | - | Yes | - | - | - | - | - | - | - | - | - | - | |
Yes | Yes | Yes | - | - | - | Yes | - | - | - | - | - | - | - | Yes | - | Yes | |
- | - | - | - | - | - | - | - | - | Yes | - | - | - | - | - | - | - | |
- | - | - | - | - | - | Yes | - | - | - | - | - | - | - | - | Yes | - | |
Yes | Yes | Yes | - | - | - | - | - | - | - | - | - | - | - | - | - | - | |
Yes | Yes | Yes | - | - | - | Yes | - | - | - | - | - | - | - | Yes | - | Yes | |
Yes | Yes | Yes | - | - | - | - | - | - | - | - | - | - | - | - | - | Yes | |
Yes | Yes | Yes | - | - | - | - | - | - | - | - | - | - | - | - | - | Yes | |
- | - | - | - | - | - | Yes | - | - | - | - | - | Yes | - | - | - | - | |
- | - | - | - | - | - | Yes | - | - | - | - | - | Yes | - | - | - | Yes | |
Yes | - | - | - | - | - | - | - | Yes | - | - | - | - | - | - | - | - | |
Yes | Yes | Yes | - | - | - | - | - | - | - | - | - | - | - | - | - | - | |
Yes | Yes | Yes | - | - | - | Yes | - | - | - | - | - | - | - | Yes | - | - | |
Yes | - | - | - | - | - | - | - | - | - | - | - | - | Yes | - | - | Yes | |
- | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | Yes | |
- | - | - | - | - | - | - | - | Yes | - | - | - | - | - | - | - | Yes | |
- | - | - | - | - | - | - | - | Yes | - | - | - | - | - | - | - | Yes | |
- | - | - | - | - | - | - | - | Yes | - | - | - | - | - | - | - | Yes | |
- | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | Yes | |
- | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | Yes | |
Yes | Yes | Yes | - | - | - | Yes | - | - | - | - | - | - | - | - | - | - | |
- | - | - | - | - | - | - | - | - | - | - | - | - | - | - | - | Yes | |
- | - | - | - | - | - | - | - | - | - | - | - | - | - | - | Yes | - | |
Yes | Yes | Yes | - | - | - | Yes | - | - | - | - | - | - | - | - | - | Yes | |
- | - | - | - | - | - | Yes | - | - | - | - | - | - | - | - | - | Yes | |
Yes | - | - | - | - | - | Yes | - | - | - | - | - | - | - | - | - | - | |
Open | Save | Edit | View | Play | Convert | Create | Record | Import | Export | Burn | Extract | Recover | Backup | Settings | Other |