Kaspersky Lab experts detected an undocumented feature in the MS Office package that allows attackers to collect data about the target system by simply sending a specially crafted Microsoft Word document to the victim, without active content: VBA macros, embedded Flash objects, or PE files. Function is present in the version of Microsoft Word for Windows, as well as mobile versions of Microsoft Office for iOS and Android. LibreOffice and OpenOffice do not support it.

According to researchers, the functionality is already exploited by intruders within the framework of a multi-stage attack Freakyshelly, the first stage of which involves collecting data about the target system. During the investigation of this attack, experts detected a phishing email containing interesting attachments in the form of files in the OLE2 format that did not contain any macros, exploits, or any other active content. On closer inspection, it turned out that the files included a number of links to PHP scripts located on third-party resources. When you try to open files in MS Word, the application sends a GET request to one of the links, as a result of which the attackers received data about the software installed on the system.

During the analysis of the document, the specialists identified the field INCLUDEPICTURE, which informs that a certain image is tied to certain symbols in the text, but the attackers used it to place a suspicious link. The problem is that the description of the field INCLUDEPICTURE is practically absent in the Microsoft documentation. The ECMA-376 standard describes only a part of the INCLUDEPICTURE field before the delimiter byte and there is no information on what data after it means and how they can be interpreted, experts noted..