**Updated Note: As of November 12th, 2018, Trend Micro has discovered an in-the-wild sample of this logical bug seen in the TROJ_EXPLOIT.AOOCAI, using it to deliver the URSNIF information stealer (TSPY_URSNIF.OIBEAO).**
Cymulate’s research team has discovered a way to abuse the Online Video feature on Microsoft Word to execute malicious code (Read the press release here).
This attack is carried out by embedding a video inside a Word document, editing the XML file named document.xml, replacing the video link with a crafted payload created by the attacker which opens Internet Explorer Download Manager with the embedded code execution file.
A workflow of how this security flaw could be produced:
1. Create a Word Document.
2. Embed an online video: Insert -> online video and add any YouTube video.
3. Save the Word document with the embedded online video.
4. Unpack the Word document:
Docx files are actually a package of all the media files that you may see in a docx file. If you unpack the file – either by using an unpacker or changing the docx extension to zip and unzipping it – there are several files and directories in a single docx file:
5. Edit the document.xml file under word folder
7. Save the changes in document.xml file, update the docx package with the modified xml and open the document.
We’ve created a PoC that contains the embedded executable (as a blob of a base64). Once run, this code will use the msSaveOrOpenBlob method to trigger the download of the executable by opening Internet Explorer Download Manager with the option to run or save the file.
Please note: No security warning is presented while opening this document with Microsoft Word.
You can choose from the following options.
1. Block Word documents containing the tag: “embeddedHtml” in the Document.xml file of the word documents.