![]() The first is the usual “Protected View” warning when documents are received from the Internet.Īfter enabling editing then the usual macro prompt appears. Users hopefully should know by now that macros are dangerous so even if received they would be prompted by two warning prompts. Tested were carried out mainly using Word and Excel of Microsoft Office 2010 圆4 on Windows 7. clicking on the embedded object to trigger the macro. There are more ActiveX controls not listed as those need some further action i.e. Microsoft ProgressBar Control, version 6.0 ![]() The controls listed below when used with these subroutines names has an interesting behaviour in that moving the mouse on top of the embedded object triggers the macro. Microsoft ImageComboBox Control, version 6.0 Not all controls can be embedded into the document but majority can be and are listed in the table below. We can see below that there are dozens of procedures that could be usedĪfter testing each ActiveX control object and all its procedures a large number of procedures were able to automatically run macros. A huge list of controls is given which could be used to embed in the document.Įach control gives the option to add macros to its procedures Once the developer tab is enabled (File – Options – Customize Ribbon) go to the developer tab and Controls section on the ribbon. If we wanted to embed ActiveX control in a document it is pretty straightforward to do. This routine comes from an ActiveX control “Microsoft InkPicture Control” embedded in the document. This document in question was using a subroutine name of InkPicture1_Painted() to execute code once the ActiveX control got enabled. Most malicious Word documents use the usual reserved names such as AutoOpen() and Document_Open() to automatically run macros. I’m not sure if this method had ever been used before but it was using macros with an embedded ActiveX control object in the document. ![]() ![]() A couple of months ago I encountered a malicious macro Word document and after analysing it, it was found to be using a new vector to execute the macro. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |