❌

Normal view

Received β€” 11 January 2026 ⏭ Blaze's Security Blog

Microsoft Word and Sandboxes

By: Bart
14 August 2024 at 19:35

Today's post is a brief one on some Microsoft Word and sandbox detection / discovery / fun.

Collect user name from Microsoft Office

Most sandboxes will trigger somehow or something if a tool or malware tries to collect system information or user information. But what if we collect the user name via the registry and more specifically, what user info Microsoft Office sees?

This information is stored in the Current User hive, Software\Microsoft\Office\Common\UserInfo.

10-second code and we can whip up:
Β 
Β 
Β 
Β 
Text form:

$userName = (Get-ItemProperty -Path "HKCU:\Software\Microsoft\Office\Common\UserInfo").UserName

Start-Process -FilePath "notepad.exe" -ArgumentList $userName
Β 
And we get something like:

Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
and the process tree:
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Some sandboxes had a username of "Admin", "admin" or a completely random name.Β 
Β 
In short, it's a potential technique for more stealth reconaissance that may not trigger a sandbox or detection mechanism.


Run a Microsoft Word doc with.. .asd extension

When Microsoft Word crashes, it will (usually) attempt to create a backup copy of all your opened documents. It typically saves these backups as .wbk (Word Backup) or .asd (Autosave or Autorecover) files.

These will be saved in one of these directories in normal circumstances:
  • C:\Users\USERNAME\AppData\Local\Microsoft\Word
  • C:\Users\USERNAME\AppData\Roaming\Microsoft\Word
  • C:\Users\USERNAME\AppData\Local\Temp
  • C:\Users\USERNAME\\AppData\Local\Microsoft\Office\UnsavedFiles

Most sandboxes however will be able to open the file just fine, but not all...:







Β 

Β 

Β 

Β 

I haven't seen much use of actual .asd files, likely as the documents will need to be loaded from one of the above directories, however... after crafting your malicious document, you can simply rename it from badfile.docx to badfile.asd, and it will run fine.

It seems at least 1 actor has used an .asd extension before, as reported on by Didier Stevens:

https://isc.sans.edu/diary/CrowdStrike+Outage+Themed+Maldoc/31116

In short, it's another way of evading sandboxes or other potential detection mechanisms that may not support these .asd or .wbk extensions or even consider them harmless.


Blue Team Puzzle

By: Bart
23 November 2020 at 21:33

Several years ago, I created a "malware puzzle" - basically, a crossword puzzle but with terms related to malware. You can find that puzzle here:Β https://bartblaze.blogspot.com/2013/08/malware-puzzle.html

Seeing crosswords are a hobby of mine, I thought it'd be fun to create another one more than seven years later - this time, all things blue team! Obviously you don't need to be part of a blue team to fill in the puzzle, it's for anyone in information or cyber security - but it does help if you've been on the defense side of things.

You can print the puzzle and fill it in, or you can use Adobe Reader to complete the PDF version, or use any tool to your liking (mspaint is also a candidate). There are no spaces - all words are one word.













You can find the puzzle in the following formats:

PNG:Β https://www.mediafire.com/view/0iuzvxal8redjz2/crossword-iiRh073oLn.png/file

PNG mirror:Β https://imgur.com/a/ASATRXf

PDF:Β https://www.mediafire.com/file/b3v7pebohp6c8vn/crossword-xp6dZUU9Ar.pdf/file

PDF mirror:Β https://www.filedropper.com/crossword-xp6dzuu9ar

If you have the solution, feel free to create a comment or @ me on Twitter:Β https://twitter.com/bartblaze.Β 

To make things more interesting, you can set up a competition between your fellow defenders to see who can complete it first!

If you're stuck, I can always send you a hint - see my About page for contact information, use Twitter, or leave a comment. Note there may be spoilers around.Β 

❌