Phishing: Embedded HTML Forms
Code execution with embedded HTML Form Objects
In this phishing lab I am just playing around with the POCs researched, coded and described by Yorick Koster in his blog post Click me if you can, Office social engineering with embedded objects

Execution

Forms.HTML.ps1
1KB
Text
Forms.ps1
Forms.HTML.docx
11KB
Binary
Forms.docx

Observations

These types of phishing documents can be identified by looking for the CLSID 5512D112-5CC6-11CF-8D67-00AA00BDCE1D in the embedded .bin files:
...as well as inside the activeX1.xml file:
As usual, MS Office applications spawning cmd.exe or powershell.exe should be investigated:

References

Click me if you can, Office social engineering with embedded objects
Securify website
Last modified 3yr ago