{
	"id": "d05b753b-a185-4535-ad22-f9fb92a85b12",
	"created_at": "2026-04-06T00:16:56.966422Z",
	"updated_at": "2026-04-10T13:12:27.27531Z",
	"deleted_at": null,
	"sha1_hash": "d51ad8238b4124ca8d90285a06b63c24508de790",
	"title": "Detecting DDE in MS Office documents",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 137015,
	"plain_text": "Detecting DDE in MS Office documents\r\nBy Didier Stevens\r\nPublished: 2017-10-11 · Archived: 2026-04-05 14:25:40 UTC\r\nDynamic Data Exchange is an old Microsoft technology that can be (ab)used to execute code from within MS\r\nOffice documents. Etienne Stalmans and Saif El-Sherei from Sensepost published a blog post in which they\r\ndescribe how to weaponize MS Office documents.\r\nWe wrote 2 YARA rules to detect this in Office Open XML files (like .docx):\r\nUpdate 1: our YARA rules detected several malicious documents in-the-wild.\r\nUpdate 2: we added rules for OLE files (like .doc) and updated our OOXML rules based on your feedback.\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n// YARA rules Office DDE\r\n// NVISO 2017/10/10 - 2017/10/12\r\nrule Office_DDEAUTO_field {\r\nstrings:\r\n$a = /\u0026lt;w:fldChar\\s+?w:fldCharType=\u0026quot;begin\u0026quot;\\/\u0026gt;.+?\\b[Dd][Dd][Ee][Aa][Uu]\r\n[Tt][Oo]\\b.+?\u0026lt;w:fldChar\\s+?w:fldCharType=\u0026quot;end\u0026quot;\\/\u0026gt;/\r\ncondition:\r\n$a\r\n}\r\nrule Office_DDE_field {\r\nstrings:\r\n$a = /\u0026lt;w:fldChar\\s+?w:fldCharType=\u0026quot;begin\u0026quot;\\/\u0026gt;.+?\\b[Dd][Dd][Ee]\\b.+?\r\n\u0026lt;w:fldChar\\s+?w:fldCharType=\u0026quot;end\u0026quot;\\/\u0026gt;/\r\ncondition:\r\n$a\r\n}\r\nrule Office_OLE_DDEAUTO {\r\nhttps://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/\r\nPage 1 of 3\n\n17\r\n18\r\n19\r\n20\r\n21\r\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\n31\r\nstrings:\r\n$a = /\\x13\\s*DDEAUTO\\b[^\\x14]+/ nocase\r\ncondition:\r\nuint32be(0) == 0xD0CF11E0 and $a\r\n}\r\nrule Office_OLE_DDE {\r\nstrings:\r\n$a = /\\x13\\s*DDE\\b[^\\x14]+/ nocase\r\ncondition:\r\nuint32be(0) == 0xD0CF11E0 and $a\r\n}\r\nThese rules can be used in combination with a tool like zipdump.py to scan XML files inside the ZIP container\r\nwith the YARA engine:\r\nThe detection is based on regular expressions designed to detect fields containing the word DDEAUTO or DDE.\r\nBy dumping the detected YARA strings with option –yarastringsraw, one can view the actual command:\r\nhttps://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/\r\nPage 2 of 3\n\nHere is an example of the DDE rule firing:\r\nYou can also look for MS Office files containing DDE using this YARA rule in combination with ClamAV as\r\ndescribed in this blog post.\r\nPublished October 11, 2017October 13, 2017\r\nPost navigation\r\nSource: https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/\r\nhttps://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/"
	],
	"report_names": [
		"detecting-dde-in-ms-office-documents"
	],
	"threat_actors": [],
	"ts_created_at": 1775434616,
	"ts_updated_at": 1775826747,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/d51ad8238b4124ca8d90285a06b63c24508de790.pdf",
		"text": "https://archive.orkl.eu/d51ad8238b4124ca8d90285a06b63c24508de790.txt",
		"img": "https://archive.orkl.eu/d51ad8238b4124ca8d90285a06b63c24508de790.jpg"
	}
}