Phishing Documents
Last updated
Last updated
Microsoft Word performs file data validation prior to opening a file. Data validation is performed in the form of data structure identification, against the OfficeOpenXML standard. If any error occurs during the data structure identification, the file being analysed will not be opened.
Usually Word files containing macros uses the .docm
extension. However, it's possible to rename the file changing the file extension and still keep their macro executing capabilities.
For example, an RTF file does not support macros, by design, but a DOCM file renamed to RTF will be handled by Microsoft Word and will be capable of macro execution.
The same internals and mechanisms apply to all software of the Microsoft Office Suite (Excel, PowerPoint etc.).
You can use the following command to check with extensions are going to be executed by some Office programs:
DOCX files referencing a remote template (File –Options –Add-ins –Manage: Templates –Go) that includes macros can “execute” macros as well.
Go to: Insert --> Quick Parts --> Field Categories: Links and References, Filed names: includePicture, and Filename or URL: http://<ip>/whatever
The more common they are, the more probable the AV will detect it.
AutoOpen()
Document_Open()