-
Notifications
You must be signed in to change notification settings - Fork 563
formats_vs_techniques
decalage2 edited this page Feb 2, 2022
·
7 revisions
This table shows the various techniques that can be used in malicious documents to trigger code execution, and the file formats in which they can be embedded. The last column suggests tools that can detect and analyse each technique.
This is work in progress, not all combinations have been thoroughly tested.
| File Format / Technique | VBA Macros | Excel 4 / XLM Macros | DDE | OLE Objects | Package OLE Objects | Remote Template | Remote OLE object | customUI (remote macro) |
|---|---|---|---|---|---|---|---|---|
| Word 97-2003 (DOC) | X | X | X | X | X | X | ||
| Word 2007+ (DOCX) | X | X | X | X | X | X | ||
| Word 2007+ macro-enabled (DOCM) | X | X | X | X | X | X | X | |
| Excel 97-2003 (XLS) | X | X | X | X | X | X | ||
| Excel 2007+ (XLSX) | X | X | X | X | X | |||
| Excel 2007+ macro-enabled (XLSM) | X | X | X | X | X | X | X | |
|
Excel 2007+ Binary (XLSB) |
X | X | X | |||||
| RTF | X | X | X | X | ||||
| CSV | X | |||||||
| SLK | X | X | ||||||
| MHT | X | ? | ? | ? | ? | ? | ||
| Word 2003 XML | X | X | ? | ? | ? | ? | ||
| Word 2016 XML | X | X | ? | ? | ? | ? | ? | |
| Publisher (PUB) | X | ? | ? | ? | ||||
| Visio (VSDX) | X | ? | ? | ? | ||||
| Tools | msodde | oleobj | oleobj | oleobj |