February 20, 2018

Word, the leading word processor from Microsoft, has been used by most people at some point in their lifetime. In order to maintain its lead, Word is constantly updated – new features are added and bugs are being removed. A reasonably new feature, Word’s Online Video feature, supports inserting a remote video into the document, without embedding it within, thus keeping the document’s file size relatively small.

Here’s how one adds an online video to a Word document:



This frame has us curious as to its capabilities. It must be HTML code running in the background, and as we all know, Word is capable of parsing HTML code and inserting it into the document; but this is not the case.


The “image” is in fact a webVideoPr element of type CT_WebVideoPr. This type supports embeddedHTML code which is rendered in the context of the frame.


<wp15:webVideoPr xmlns:wp15=””embeddedHtml=”&lt;marquee&gt; What? &lt;/marquee&gt;”/>


The frame is an encapsulated iexplore.exe process, achieved by using the ieproxy!CWebBrowserHandler_CreateInstanceWrapper method (of ieproxy!CWebBrowserHandler class).


As only basic sanitization is performed on the provided HTML, it poses several security risks that we’d like to share.


Browser-based Cryptojacking

One of the recent concerns in the Internet realm is the threat of cryptocurrency mining via the browser. As these attacks are usually JavaScript based, they are easy and quick to implement.

The attack is quite simple: When the victim’s browser loads a cryptojacking script, and for as long as the page is open in the browser, his CPU will be used to mine a crypto-currency. The loading of the cryptojacking script can occur when the victim enters a site serving such script (knowingly or if it was compromised), or by receiving an ad that loads the script.


The IE frame fits perfectly for this scenario, as users can be tricked into watching an “innocent” video while, in the background, their CPU is being exhausted.

For this scenario to maximize efficiency, the attacker can tailor the video for the victim, making sure to choose one that the victim will be tempted to watch.


In the above images, 2 scenarios are demonstrated: the first is a public site utilizing Cryptojacking in the background, the second is our scenario where we’ve chosen a 12-minute video explaining Cryptocurrencies. While the victim is learning a new topic, we get 99% of his CPU for our shady business. It’s a win-win situation!

This scenario works across various versions of IE and is extremely easy to set up.

There is a slight drawback, as the IE frame would have to remain open for the miner to be able to operate. This means that longer videos are preferable to shorter ones in order to maximize profit. Another cool trick is to combine long videos, which would be selected according to the victim’s preferences, with a long “Loading..” animation. 

The next big leap is to infect the machine with a cryptocurrency-miner, which will allow the attacker full control over mining times (alongside having full control on the machine..)

In order to achieve that, the attacker would have to gain code execution on the machine. This could be via macros, tricking the user into executing scripts/files embedded within the document, or vulnerability exploitation.

While Word vulnerabilities exist, with new ones found on a monthly basis, this scheme opens a new attack vector, Internet Explorer.

Word is a widely used program in most organizations, and as such, maintains ongoing updates and patches as soon as they’re released. Internet Explorer is not as widely used given most organizations trust Chrome and Firefox over it, [1] and therefore it is updated less often.

Additionally, IE has been known for its vast variety of vulnerabilities, from browser-based (and javascript engine) vulnerabilities to bugs in plugins such as Flash.

The immediate threat to Internet Explorer and its vulnerabilities comes from Exploit-kits.



A new infection vector for Exploit-kits

Exploit-kits are at an interesting crossroad, as we’ve previously discussed. What once was a lucrative operation, turns out to be less and less effective as more and more users switch to browsers other than IE, and obtaining exploits for these browsers is getting harder by the day.

Taking a look at the “Online Video” feature from an exploit-kit point-of-view, things look promising. The document can be delivered via spam, and the user can be tricked via social-engineering to disable ‘Protected View’ and click the video. Accompanying the video, the IE frame would silently redirect the user to the exploit-kit gate for evaluation and if exploitation conditions are met a possible infection.

Having IE in a separate process helps beating Windows Defender Exploit Guard, meaning an exploitation scenario is possible even on updated Windows 10 machines.

It’s important to note that Office checks IE versions and won’t allow previous(IE8 and below), outdated versions to execute.

Above is an infection flow RigEK, infecting the machine with Ramnit (banking trojan) using a malicious Flash file (targeting IE Flash plugin). More info here.


By infecting the machine with a cryptocurrency-miner, the attacker gets his own remote money-maker machine to be used at his free will. Furthermore, owning the machine makes it suitable for a variety of other shady actions.


Phishy Videos

The third and most obvious scenario involves good old phishing schemes. This IE frame makes it so easy to extract private information from unsuspecting users.

We used a random online phishing page to show how easy it is to trick a user.

This ‘Online Video’ feature exists in other products of the Office suite, including PowerPoint and OneNote.

Unlike Word, though, it seems that this feature is handled by them in a more secure manner;

they only allow specific domains to be played via this feature. This is an estimation, as there is no information available online on this matter. There is, however, a list of white-listed domains, which can be used in OneNote [2] – we’re guessing it’s similar in PowerPoint as well.

Moreover, PowerPoint doesn’t enable the injection of any HTML code, it must begin with <iframe and end with </iframe>[3]. More details on supported Office versions and required IE versions can be found at [4].

We’ve notified MSRC on our research and findings which did not qualify to be addressed as a security issue.



We advise users to be suspicious when encountering a Word document bearing an Online Video, for as shown above, one might never know what it really holds.

Also, it might be a good opportunity to ensure your machine is up-to-date with the latest security patches, especially Internet Explorer.


As always, Votiro customers are safe from these kinds of threats and more, thanks to our Advanced CDR technology. Read all about it here.


[1]There are several locations online who collect browser usage data, they all seem to be summarized pretty nicely on this Wikipedia page







We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Privacy policy