Phishing: Embedded HTML Forms

Code execution with embedded HTML Form Objects

In this phishing lab I am just playing around with the POCs researched, coded and described by Yorick Koster in his blog post Click me if you can, Office social engineering with embedded objects

Execution

1KB
Forms.HTML.ps1
Forms.ps1
11KB
Forms.HTML.docx
Forms.docx

Observations

These types of phishing documents can be identified by looking for the CLSID 5512D112-5CC6-11CF-8D67-00AA00BDCE1D in the embedded .bin files:

...as well as inside the activeX1.xml file:

As usual, MS Office applications spawning cmd.exe or powershell.exe should be investigated:

References

LogoClick me if you can, Office social engineering with embedded objectsSecurify website
PreviousBypassing Parent Child / Ancestry DetectionsNextPhishing with GoPhish and DigitalOcean

Last updated