Sensepost published an aticle, Macro-less Code Exec in MSWord, for a new method to execute codes in Microsoft Word and this does not make use of the usual Macros. This method is through Dynamic Data Exchange (DDE) protocol.
Click image to enlarge
"Windows provides several methods for transferring data between applications. One method is to use the Dynamic Data Exchange (DDE) protocol. The DDE protocol is a set of messages and guidelines. It sends messages between applications that share data and uses shared memory to exchange data between applications. Applications can use the DDE protocol for one-time data transfers and for continuous exchanges in which applications send updates to one another as new data becomes available."
At this moment, this method was seen being used on known threats such as Hancitor, Locky, and EMOTET. This flaw has been reported to Microsoft, however Microsoft responded that as suggested it is a feature and no further action will be taken, and will be considered for a next-version candidate bug.
Related IOCs & Solutions
|HASH||VIRUS SCAN||BEHAVIOR MONITORING|
(Polski Ransomware .aes extension)