Phishing: Embedded Internet Explorer
Code execution with embedded Internet Explorer Object
In this phishing lab I am just playing around with the POCs researched, coded and described by Yorick Koster in his blog post Click me if you can, Office social engineering with embedded objects

Execution

WebBrowser.docx
11KB
Binary
WebBrowser.docx
poc.ps1
51KB
Text
phishing-iex-embedded.ps1

Observations

As with other phishing documents, we can unzip the .docx and do a simple hexdump/strings on the oleObject1.bin to look for any suspicious strings referring to some sort of file/code execution:
The CLSID object that makes this technique work is a Shell.Explorer.1 object, as seen here:
1
Get-ChildItem 'registry::HKEY_CLASSES_ROOT\CLSID\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}'
Copied!
As an analyst, one should inspect the .bin file and look for the {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B} bytes inside, signifying the Shell.Explorer.1 object being embedded in the .bin file:

References

Click me if you can, Office social engineering with embedded objects
Securify website
Last modified 3yr ago