• Home
  • Attack
  • Dataset
  • Contact Us
        • T1-24–01–S–N–CL
        • T2-24–01–S–N–CL
        • T3-24–01–S–N–CL
        • T4-24–01–S–E–M
        • T5-24–01–S–E–LM
        • T6-24–01–S–E–FH
        • T7-24–01–M–NE–CLM
        • T8-24–01–M–NE–CFHL
        • T9-24–01–M–NE–CLM
        • T1-24–02–S–N–CIKM
        • T2-24–02–S–N–CL
        • T3-24–02–S–N–CL
        • T4-24-02-S-E-M
        • T5-24-02-S-E-DL
        • T6-24-02-S-E-DEGN
        • T7-24-02-M-NE-CDEGLN
        • T8-24-02-M-NE-CDL
        • T9-24-02-M-NE-CLH
        • T1-25–01–S–N–CD
        • T2-25–01–S–N–CL
        • T3-25–01–S–N–CD
        • T4-25-01-S-E-FH
        • T5-25-01-S-E-CL
        • T6-25-01-S-E-CL
        • T7-25-01-M-NE-CDN
        • T8-25-01-M-NE-CLFH
        • T9-25-01-M-NE-CDFH
  • T7-25–01–M–NE–CDN

  • MS Office (DOCX) External File Download + Ransomware (Play)

    The MS Office (DOCX) external template–based ransomware attack is a technique that abuses Microsoft Word’s external template loading feature to download and execute ransomware from a remote server. The document itself maintains a legitimate file structure, while an externally hosted template is responsible for actual malware delivery and execution. The attacker embeds a reference to a remotely hosted macro-enabled template (DOTM) inside the DOCX document, causing external resources to be automatically loaded when the victim opens the document. When the victim opens the document, Microsoft Word connects to the remote server and downloads the DOTM template. The template contains embedded VBA macros, which are then executed within the victim’s environment. Once executed, the macro establishes outbound connections to the attacker’s infrastructure to download the ransomware payload. The downloaded ransomware is saved locally and executed, leading to file encryption, system disruption, and making data inaccessible. This technique is effective at bypassing file-based detection and static analysis because it separates the initial lure document from the actual ransomware payload. For this reason, it is frequently observed in real-world ransomware campaigns.

    •  


  • OS IP Software Log collection
    time    		 Program
    runtime
    Attacker Ubuntu 22.04 192.168.56.105 - 300 sec 320 sec
    Victim Windows 10 (1903) 192.168.56.104 -

  • Installation
  • python3 -m pip install -r requirements.txt

  • Usage
  • ※ The instability of POC may cause intermittent remote connection fail.

    python3 run.py

  • MITRE ATT&CK Framework
  • Attack Tactic
    Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion
    Credential Discovery Lateral Movement Collection Command and Control Exfiltration Impact

  • Logs
  • ./log/2025_01_T7_{time}.evtx # YYmmdd_HHMMSS
    ./log/2025_01_T7_{time}.pcap # YYmmdd_HHMMSS


  • References
  • [1] MITRE [Playcrypt]
    [2] CISA [Play Ransomware]
    [3] virustotal [Play Ransomware]
    [4] virustotal [MS Office (DOCX)]

  • ※ Click on the attack name to see a description and scenario for the attack
    • 2025
    • T1-25–01–S–N–CD
    • T2-25–01–S–N–CL
    • T3-25–01–S–N–CD
    • T4-25–01–S–E–FH
    • T5-25–01–S–E–CL
    • T6-25–01–S–E–CL
    • T7-25–01–M–NE–CDN
    • T8-25–01–M–NE–CLFH
    • T9-25–01–M–NE–CDFH
  • Copyright(C) 2024, KAIST Cyber Security Reserch Center. All Rights Reserved.