Pierluigi Paganini
May 30, 2022
The cybersecurity researcher nao_sec discovered a malicious Word document (“05-2022-0438.doc”) that was uploaded to VirusTotal from Belarus. The document uses the remote template feature to fetch an HTML and then uses the “ms-msdt” scheme to execute PowerShell code.
Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code.https://t.co/hTdAfHOUx3 pic.twitter.com/rVSb02ZTwt
— nao_sec (@nao_sec) May 27, 2022
https://t.co/q9Mj9lRUjU pic.twitter.com/GhBo0qUBjo
— nao_sec (@nao_sec) May 27, 2022
The popular cybersecurity expert Kevin Beaumont published an analysis of the flaw.
“The document uses the Word remote template feature to retrieve a HTML file from a remote webserver, which in turn uses the ms-msdt MSProtocol URI scheme to load some code and execute some PowerShell.” reads the analysis published by Beaumont. “There’s a lot going on here, but the first problem is Microsoft Word is executing the code via msdt (a support tool) even if macros are disabled. Protected View does kick in, although if you change the document to RTF form, it runs without even opening the document (via the preview tab in Explorer) let alone Protected View.”
The issue affects multiple Microsoft Office versions, including Office, Office 2016, and Office 2021.
Security Affairs is one of the finalists for the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS. I ask you to vote for me again (even if you have already done it), because this vote is for the final.
Please vote for Security Affairs and Pierluigi Paganini in every category that includes them (e.g. sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog”)
To nominate, please visit:
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, domain name system)
[adrotate banner=”5″]
[adrotate banner=”13″]
