Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

New Attack Fingerprints Users Using Word Documents

A newly detailed attack method leverages Microsoft Word documents to gather information on users, but doesn’t use macros, exploits or any other active content to do so, security researchers at Kaspersky Lab have discovered.

A newly detailed attack method leverages Microsoft Word documents to gather information on users, but doesn’t use macros, exploits or any other active content to do so, security researchers at Kaspersky Lab have discovered.

Distributed as attachments to phishing emails, these documents were in OLE2 format and contained links to PHP scripts located on third-party web resources. As soon as a user opens the files in Microsoft Office, the application accesses one of the links, resulting in the attackers receiving information about the software installed on the computer.

An analyzed document contained tips on how one could use Google search more effectively and doesn’t appear to be suspicious, especially since it doesn’t contain active content, embedded Flash objects or PE files. However, as soon as a user opens the document, Word sends a GET request to an internal link.

“This code effectively sent information about the software installed on the victim machine to the attackers, including info about which version of Microsoft Office was installed,” the security researchers say.

The security researchers discovered that the document used an undocumented Word feature, where an INCLUDEPICTURE field is used. This field indicates that an image is attached to certain characters in the text, but attackers used it to include a suspicious link there, although not the URL addressed by Word.

While the text in the Word document is stored in a raw state, so-called fields are used to indicate in which way portions of the text should be presented. A specific byte indicates that the raw text ends and the field INCLUDEPICTURE begins, and separator, and end bytes are also associated with the field.

In the analyzed document, a byte between the separator and the end indicates that an image should be inserted at that point. After locating the byte sequence with the picture placeholder, the researchers concluded at which offset the image should be located in the Data stream. The offset turned out to be a Form, and its name was another suspicious link.

Because the link was only an object name, it wasn’t used in any way, but a combination of flags was used to indicate that additional data should be attached to the form. This data, the researchers say, “constitutes a URL that leads to the actual content of the form.”

A a ‘do not save’ flag prevented the content from being saved to the actual document when it is opened.

The issue, the Kaspersky researchers say, is that “Microsoft Office documentation provides basically no description of the INCLUDEPICTURE field.” They couldn’t find information on what the data that follows the separator may mean, and how it should be interpreted, which was the main problem when trying to understand how the document was following the URL.

“This is a complex mechanism that the bad guys have created to carry out profiling of potential victims for targeted attacks. In other words, they perform serious in-depth investigations in order to stay undetected while they carry out targeted attacks,” Kaspersky says.

This Office feature exists in Word and Windows, Microsoft Office for iOS, and Microsoft Office for Android, the researchers discovered. However, LibreOffice and OpenOffice do not have it, meaning that Word documents opened with any of these applications won’t call the malicious link.

Related: Office’s OLE Leveraged to Hide Malicious Code

Related: Macro Malware Dridex, Locky Using Forms to Hide Code

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.