# Phishing: Embedded HTML Forms

In this phishing lab I am just playing around with the POCs researched, coded and described by Yorick Koster in his blog post [Click me if you can, Office social engineering with embedded objects](https://securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html)

## Execution

![](/files/-LLP0QqjMQH0JmxAI59j)

{% file src="/files/-LLP0dJuTS\_RdHPctpvr" %}
Forms.ps1
{% endfile %}

{% file src="/files/-LLP0Y2tVNXrOS-qoqjp" %}
Forms.docx
{% endfile %}

## Observations

These types of phishing documents can be identified by looking for the CLSID 5512D112-5CC6-11CF-8D67-00AA00BDCE1D in the embedded `.bin` files:

![](/files/-LLP11w7b5dwx2QN9I6C)

...as well as inside the activeX1.xml file:

![](/files/-LLP0Pamd6EwRl-1AWn4)

As usual, MS Office applications spawning cmd.exe or powershell.exe should be investigated:

![](/files/-LLP1VLs6A-1Aq2xHze7)

## References

{% embed url="<https://securify.nl/blog/SFY20180801/click-me-if-you-can_-office-social-engineering-with-embedded-objects.html>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/phishing-embedded-html-forms.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.