Malware Execution via Microsoft Word Embedded Video

Researchers at Cymulate carried out a proof-of-concept (PoC) attack that hides malware inside a video embedded in a Word document. Once the document is saved, a threat actor could unpack the .docx file by changing the extension to .zip and unzipping the file to reveal a document.xml file. The embeddedHTML parameter in the xml file can be altered and replaced with custom HTML and JavaScript to be executed by the browser when the video thumbnail is clicked. This can be leveraged to open Internet Explorer’s download manager and install malware. Microsoft Word does not ask for permission or issue a security warning before executing embedded video code. The NJCCIC recommends that users avoid opening documents from suspicious or unknown sources, and to block Word documents that contain the embeddedHTML tag in the document.xml file or block any document that contains an embedded video. For more information on this vulnerability, review Cymulate’s blog post.

AdvisoryNJCCICmalware, Microsoft