1

When opening a corrupt Microsoft Office document, I get a prompt that says something along the lines of:

Excel [or Word/PowerPoint/etc] has found unreadable content on 'filename.xslx'. Do you wish to recover the contents of this document? If you trust the source of the document, click on Yes.

Why does Office tell you to click yes if you trust the source? What are the dangers of clicking Yes? What attacks can be done via this feature?

Edit: this is for a file without macros, before allowing macros to execute, since the prompt appears when opening the file. This can happen with files that don't end with *m

simplegamer
  • 163
  • 5
  • 1
    I don't know for sure, but 9 times out of 10 the answer is "Macros". –  May 30 '20 at 20:07

2 Answers2

2

There are many reasons to why a corrupt MS Office document could attack your computer when it is opened. The first reason is Macros, which is typically coded in Visual Basic. The code of the macros could have malicious outcomes.

Although macros are majority of the time the cause for attack to occur from opening an MS Office document, there are other things as well. Another major attack vector from corrupt or malicious MS Office files are ".pst" files. PST files are files that contain archived calendar, messages, emails, etc. from MS Outlook. From just the name of the office product one can just guess what the attack vector is. The attack vector being that if a malicious email that had an internal malicious JavaScript, image, etc., was archived. Later opening up the ".pst" file and opening the email, it could start attacking the device that is opening the archived email in the ".pst" file.

Another attack vector (although old) is a malicious ".xll" file. A ".xll" file contains C, C++, ".dll", and FORTRAN executable code that could be malicious. A ".xll" file is considered by MS as a legacy Excel format now.

The last thing I can think off is a malicious ".maq" file that is used by MS Office. It is a regular shortcut, but when opened it can automatically run a query on a database preconfigured or specified in the query. If the query is malicious (ex. DROP DATABASE PASSWORDS), it will be attacking, or should I say modifying the data in the database machine/environment.

Amol Soneji
  • 346
  • 1
  • 5
0

As MechMK1 said, the primary concern with Office documents are macros in the document. Macros are mini-programs that can be run inside the document originally intended as a way to automate common or tedious tasks within that Office program.

The danger lies in how these macros are written -- Visual Basic (VBA). VBA allows for the execution of a variety of commands, and when included in an Office macro, it can be used for malicious purposes.

coderichardson
  • 180
  • 6
  • But I have to give them permission to execute first, and I can't do so until the file is fully opened which means having to grant Office permission to repair the file first – simplegamer May 31 '20 at 00:04