Malware distributed via MS Office DDE “feature” — no macros required!

What is DDE?

DDE (Dynamic Data Exchange) is a protocol used to transfer data between applications and provides the ability for applications to launch other applications. With DDE it’s quite easy to launch applications and/or execute code on the host operating system through specially crafted MS Word and Excel documents. Of course it is also just as easy to exploit these features with malicious intent. Sensepost highlighted this in their blog on October 9th ( and since then Security Researchers have observed an increase in malicious activity where threat actors are utilizing the DDE feature to push macro-less malware via word documents. Microsoft responded to Sensepost’s disclosure that DDE is a “feature” of these applications and no further action will be taken.

How does this attack work?

Here’s one example that Vertek’s labs team analyzed this week where Hancitor, a common loader for information stealing/banking trojans, was delivered via DocuSign themed malspam. The email contains a link to download a document for review. That document (receipt_928862.doc) leverages DDE to launch a command prompt and use powershell to download and execute the malicious program. The following image is a real-world analysis that steps you through this attack vector in 5 steps and all the user had to do was open the document and click yes twice to proceed.

blog top

What can you do to prevent MS Word from automatically opening DDE linked applications in your environment?

First and foremost, don’t open emails from suspicious sources, and read the warnings that you’re presented.

These instructions are for disabling it in Microsoft Word only. It is a much bigger challenge to disable DDE in Excel because of the way DDE is utilized in Excel — it will actually break the ability to open Excel documents by double-clicking on them. At this time, we’ve only seen the attacks through MS Word documents. Even in MS Word, DDE has valid use cases that you may be using it in your environment without knowing it. Proceed at your own risk and test accordingly.

DDE can be restricted from automatically opening DDE linked content when the document is opened by unchecking the following setting:

blog middle

This can also be disabled domain wide via a group policy object (GPO). Again, test accordingly!

blog last