Malware Analysis [Video] Malicious MS Office Files Without Macros

It is a good video with no controversial content, so it does not require many replies. :)
I agree that for most MT readers, the prevention against such attack vectors can also be interesting (even if slightly off topic).
 
Last edited:
Just finished watching the video, great explanation, thank you!

Question:
If you're looking at a .docx with a remote VSTO manifest, how much does the MOTW on the actual document mess with the .NET assembly execution? Like, if the manifest is sitting in a Trusted Sites zone but the doc itself is flagged for the Internet zone, which security policy actually takes the lead during the add-in loading phase?
 
Just finished watching the video, great explanation, thank you!

Question:
If you're looking at a .docx with a remote VSTO manifest, how much does the MOTW on the actual document mess with the .NET assembly execution? Like, if the manifest is sitting in a Trusted Sites zone but the doc itself is flagged for the Internet zone, which security policy actually takes the lead during the add-in loading phase?

Thank you. But regarding your question: Not entirely sure here because I did not test this, but the doc should be in protected view if it has Internet Zone mark of the web. And only if you leave protected view, the manifest trusted sites should become relevant.


Which is not the case in MT forum; most members are not cybersecurity pros.

This is the Malware Analysis subforum. The pinned topic says "This forum's main purpose is the discussion of malware analysis and reverse engineering techniques."