search

Phishing: Embedded HTML Forms

Code execution with embedded HTML Form Objects

In this phishing lab I am just playing around with the POCs researched, coded and described by Yorick Koster in his blog post Click me if you can, Office social engineering with embedded objectsarrow-up-right

hashtag
Execution

file-download
1KB
Forms.HTML.ps1
arrow-up-right-from-squareOpen
Forms.ps1
file-download
11KB
Forms.HTML.docx
arrow-up-right-from-squareOpen
Forms.docx

hashtag
Observations

These types of phishing documents can be identified by looking for the CLSID 5512D112-5CC6-11CF-8D67-00AA00BDCE1D in the embedded .bin files:

...as well as inside the activeX1.xml file:

As usual, MS Office applications spawning cmd.exe or powershell.exe should be investigated:

hashtag
References

LogoClick me if you can, Office social engineering with embedded objectsSecurify websitechevron-right
PreviousBypassing Parent Child / Ancestry DetectionsNextPhishing with GoPhish and DigitalOcean

Last updated