Phishing: Embedded Internet Explorer
Code execution with embedded Internet Explorer Object
In this phishing lab I am just playing around with the POCs researched, coded and described by Yorick Koster in his blog post Click me if you can, Office social engineering with embedded objects
Execution
Observations
As with other phishing documents, we can unzip the .docx and do a simple hexdump/strings on the oleObject1.bin
to look for any suspicious strings referring to some sort of file/code execution:
The CLSID object that makes this technique work is a Shell.Explorer.1
object, as seen here:
As an analyst, one should inspect the .bin file and look for the {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} bytes inside, signifying the Shell.Explorer.1
object being embedded in the .bin file:
References
Last updated