olevba+mraptor: detect Evaluate+DDE

As shown by @DissectMalware, in VBA with Excel the Evaluate method can be used to trigger a DDE link to run code:
- https://twitter.com/DissectMalware/status/1071147937693134849
- https://twitter.com/DissectMalware/status/1071147341544071168
- https://docs.microsoft.com/en-us/office/vba/api/Excel.Application.Evaluate

Example:
```
DDE = "cmd|'/c calc'!A0"
Workbooks(1).Sheets(1).Evaluate DDE
Workbooks(1).Application.Sheets(1).Evaluate DDE
Workbooks.Add(1).Application.Sheets(1).Evaluate DDE 
Application.Evaluate DDE
```
It might also be possible to use this method to trigger old-style MS Excel macros.

Moreover, from the MS doc: "Using square brackets (for example, "[A1:C5]") is identical to calling the Evaluate method with a string argument."

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

olevba+mraptor: detect Evaluate+DDE #372

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

olevba+mraptor: detect Evaluate+DDE #372

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions