Tracking Pixel in Microsoft Office Document

Many social engineering campaigns rely heavily upon weaponizing Microsoft Office documents with malicious macros or embedded scripting languages that allow for payloads to create remote access to the victim's machine. Whether these documents are delivered via email or by USB drop it can be uncertain if the targeted victim is actually opening the document or antivirus or other technological hurdles are blocking the reverse shell from returning to you.  This is why I have performed research and come up with a way to determine if the user is even opening the document.  Utilizing a method often employed by emails and/or targeted advertisements, by embedding a small pixel that will call back to a remote web server  which will allow the testing engineer to troubleshoot connection issues.

A tracking pixel (also called 1x1 pixel or pixel tag) is a graphic with dimensions of 1x1 pixels that is loaded when a user visits a website or opens an email, and is used to track certain user activities. With a tracking pixel, advertisers can acquire data for online marketing, web analysis or email marketing. With log file analysis, long data evaluation or using appropriate analytical tools, this data can be used for different purposes, for example re-targeting.

Microsoft Office documents give us the ability to insert images into the page that will not be stored inside the actual file.  Requiring the Microsoft Office application to reach out to the specified URL every time the document is opened.  Utilizing Apache logs we can find out when this document is opened.  For an added bonus the image insertion does not require any special privileges or macros to make the call.  

For this demonstration I will show how to add the remote URL image using a Word document.  We will begin with a simple empty Word document.

You will notice in the screenshot above that the tab Insert was selected.  Note the selection menu Quick Parts on the right side of that screenshot.  

This is a zoomed in image of the Quick Parts menu.  Choose the drop down arrow to see the additional options.

The screenshot above shows the menu item that needs to be selected.  The Field option is in reference to Microsoft's field codes.  A field code is “smart” text – once inserted, they can automatically update when needed. There are hundreds of field codes for various purposes, one of the most common being the codes for page numbers and the current date. Any time the information updates (a page is added, or the date changes), the field will automatically update.

Once the Field options is selected the additional menu item box will pop up.  From the left side of the screen choose the IncludePicture option.  

Under Field Properties use the IP address or URL of your Apache webserver along with an image name.  The image name is not inherently important in this instance. In fact the request for anything will go through for any string on the webserver, but might cause the document to load slower.  Therefore, by creating a fake image the webserver will return a response quicker, and will make the document seem "normal".  

In the screenshot above, I have navigated to the /var/www/html document and created a test.png file by running the command: touch test.png.

Once the image correctly placed into the document, either tailing or catting the /var/log/apache2/access.log should have an entry where the Office document attempted to reach out to the remote web server.  

Here you can see what the image looks like once it has been placed inside the document.  As you will notice from the screenshot above the image is quite large, and noticeable.  However, resizing the image to a small 1x1 pixel will not change how the image is retrieved.

Reducing the size to the smallest metric is nearly untraceable.  Adding additional content or other normal imagery into the document will ensure the small tracking pixel is less conspicuous.  

Your question up to this point might be what if I am sending multiple emails with this document or multiple USB drops.  How will I be able to determine which document is calling back.  One technique I have come up with is by utilizing UUIDs.  A universally unique identifier or UUID is a 128-bit number used to identify information in computer systems.  For example, in the screenshot below I used the Kali Linux command line tool uuidgen to create a unique identifier which I then turned into another picture by using the touch command referenced above.  In a new document you can use the insert field code option again, but instead use your IP address with a /UUID.png number to the end.  

Now when the Office document is opened you will get a unique identifier which can be used later when grepping through the Apache logs.  

There are some other situations where this might be helpful, but hopefully you have gotten the general premise of tracking Office documents.  Until next time!