We are still seeing malware campaigns using the DDE exploit These are somewhat different to earlier versions and the word docs do contain macros with a very basic base64 encoded PowerShell script that contains the DDE exploit. Using Office Malscanner only shows the macro with a DDE Auto command not a separate DDE embedded object in the same way the previous versions did.
The original email was uploaded to our submissions system on 22 December 2017. I tried the links in the email several times over the last few days and always got a time out with no response, even trying via numerous proxy servers worldwide. Today I actually got a response and downloaded the malicious Word Doc that contains the DDE exploit in the macro. The original uploader thought this was a phishing email because he also didn’t get any payload delivered to him.
The email pretends to be from Ebay asking you to download an invoice. Unfortunately, today, the site(s) the PowerShell tries to contact are giving a 404 response so I have no idea what the eventual payload was supposed to be. This post therefore is a general information post about the use of DDE in Macros
You can now submit suspicious sites, emails and files via our Submissions system
What makes these much worse than normal Macros or embedded ole objects to deal with are the rather innocuous warnings that Word gives when the Word doc is opened, which unwitting recipients are possibly more likely to click through, because they don’t understand it. Combining Macros with DDE exploit means that the prospective victim has to click through 4 or 5 warnings to actually be infected by these sorts of scam, phishing malware emails.
Asking somebody to update links seems innocent enough and many recipients will click yes, just because they have no idea what it means. Clicking NO will stop this exploit. If you click yes, you should then get a second alert saying something like ” The remote data is not accessible do you want to start the application C:\windows\sytem32\program.exe?” However we believe it is possible for the malware author to hide or bypass the second message and automatically script the file to run.
To read the original article: