shmu26

Level 80
Content Creator
Trusted
Verified
I am used to hearing about macros and other kinds of scripts embedded in doc files. But I didn't know you could do this with exe files. Is this a common attack method?
 

Mahesh Sudula

Level 13
Verified
Yes.. That is what W97M.Downloader are based on.
Basically a malicious code is injected into pdf/doc..upon execution it requires you to forcefully open the text. So even if exit the process continues background.
Some advanced techniques I have seen is rarely they use process injection... Into system process like svchost.. Which is even more worst!.
Basically these spawned doc or pdf will be connected to some infected or malformed sites, that can download payload
 

Andy Ful

Level 43
Content Creator
Trusted
Verified
I am used to hearing about macros and other kinds of scripts embedded in doc files. But I didn't know you could do this with exe files. Is this a common attack method?
You can embed in MS Office document anything you want (shellcode, DLL, EXE, script, etc.).
Simply open a document and use OLE. This method works for scripts, MSI, and EXE files, but is actually restricted by Microsoft, so some embedded OLE will be blocked:
The shellcode, EXE, or DLL files can be also embedded in VBA macro or hidden in pictures via steganography. In this case, an exploit, script or macro has to be used to decode and execute an EXE.

Yes.. That is what W97M.Downloader are based on.
Basically a malicious code is injected into pdf/doc..upon execution it requires you to forcefully open the text. So even if exit the process continues background.
Some advanced techniques I have seen is rarely they use process injection... Into system process like svchost.. Which is even more worst!.
Basically these spawned doc or pdf will be connected to some infected or malformed sites, that can download payload
W97M.Downloader works in a slightly different way. It is MS Office Word document with embedded macro or exploit, which try to download and execute an EXE (or another payload). The EXE (or payload) is not embedded in the MS Office file.:giggle:
This is the most common way of abusing Word documents.
The method of embedding the payload (for example an EXE file) into MS Office documents is rarely used, because of default MS Office restrictions.
 
Last edited: