DDE, or Dynamic Data Exchange, allows one program to subscribe to items made available by another program, for example a cell in a Microsoft Excel spreadsheet, and be notified whenever that item changes. This can be used to execute code on interactive target.
=CMD|'/C calc.exe'!A0 =MSEXCEL|'\..\..\..\Windows\System32\cmd.exe /c calc.exe'!A0
regsvr32 to execute a real payload.
Usage of an
IQY file can help bypass AV solution:
Did not try yet, check https://www.securitysift.com/abusing-microsoft-office-dde/