Skip to main content



DDE Exploitation Detection

So DDE vulnerability/feature (open to debate) is hot and it is being used not only by high profile APT actors like FIN7, but also by several other threat actors, like cyber criminals infecting machines with Locky or Hancitor etc.
Lets see how can we detect the malicious files as well as the typical infection process using DDE feature.
So here is a word doc file which seemingly looks empty but there are two hidden objects. Md5: f5564925dd68e23672d898e0a590340e
The first thing I will come across is this message, which I should say “No” to.

So I go ahead and click on “No” and I see a word file without any text
The trick is to try Ctrl+A to select everything in the word file and I can seem two invisible boxes selected.

The first box is nothing, maybe a decoy. The second small box is the “Field” element, which contains the Formula to be updated. What is that formula, let us have a look at it:
I select it, right click and say “Toggle Field Codes”..and Ta-da! I can see some code, which c…

Latest Posts

Locky or Trickbot - Campaign and Infrastructure Analysis