Office OLE

Object Linking & Embedding (OLE) is a proprietary technology developed by Microsoft that allows transferring data between different applications using drag and drop and clipboard operations. This can be used to execute code on the target but requires user interaction.

Word

Drag and drop any Windows executable or native script (BAT, JScript, VBScript) in a Word document to completely embed the file within the document. User will need to double click on the OLE object to trigger the execution.

malware_windows_ole-1.png

Change Icon
  1. Right Click on OLE object
  2. Packager Shell Object Object
  3. Convert
  4. Change Icon
  5. Browse
  6. Select C:\Windows\System32\imageres.dll
  7. Choose your icon

malware_windows_ole-2.png

Payload

The following file types have been validated to work well to execute code:

Deception

Use deceptive techniques to trick the user to double-click on the OLE object and trigger execution.

malware_windows_ole-3.png

Document: 2019-Employee-Benefits-ole.doc

Mitigations

The HKCU\Software\Microsoft\Office\<Office Version>\<Office application>\Security\PackagerPrompt registry key controls Office OLE object execution.

Key Value Description
0 No prompt from Office when user clicks, object executes
1 Prompt from Office when user clicks, object executes
2 No prompt, object does not execute

Note on <Office Version>:

<Office Version> Description
16.0 Office 2016
15.0 Office 2013
14.0 Office 2010
12.0 Office 2007

References