Office OLE
Object Linking & Embedding (OLE) is a proprietary technology developed by Microsoft that allows transferring data between different applications using drag and drop and clipboard operations. This can be used to execute code on the target but requires user interaction.
Word
Drag and drop any Windows executable or native script (BAT, JScript, VBScript) in a Word document to completely embed the file within the document. User will need to double click on the OLE object to trigger the execution.
Change Icon
- Right Click on OLE object
- Packager Shell Object Object
- Convert
- Change Icon
- Browse
- Select
C:\Windows\System32\imageres.dll - Choose your icon
Payload
The following file types have been validated to work well to execute code:
- Bat + any of the Windows execution methods
- JScript
- VBScript
- Windows Executable
Deception
Use deceptive techniques to trick the user to double-click on the OLE object and trigger execution.
Document**: 2019-Employee-Benefits-ole.doc**
Mitigations
The HKCU\Software\Microsoft\Office\<Office Version>\<Office application>\Security\PackagerPrompt registry key controls Office OLE object execution.
| Key Value | Description |
|---|---|
0 |
No prompt from Office when user clicks, object executes |
1 |
Prompt from Office when user clicks, object executes |
2 |
No prompt, object does not execute |
Note on <Office Version>:
<Office Version> |
Description |
|---|---|
16.0 |
Office 2016 |
15.0 |
Office 2013 |
14.0 |
Office 2010 |
12.0 |
Office 2007 |