Suho Son, Moonseong Kim, Journal of Internet Computing and Services, Vol. 26, No. 6, pp. 23-31, Dec. 2025
10.7472/jksii.2025.26.6.23, Full Text:  HTML
Keywords: VBA, OOXML, Imperative Attack, Declarative Attack, Command Usurping, Remote Template, OLE Object

Abstract

Microsoft Office documents are exploited as sophisticated system infiltration vectors through two distinct attack paradigms. The first is the Imperative Attack paradigm of Visual Basic for Applications (VBA), and the second is the Declarative Attack paradigm of Office Open XML (OOXML). This paper provides an in-depth analysis of the mechanisms underlying these two core attack vectors and implements and compares them through empirical experimentation. The experimental results confirmed that Imperative attacks, including Auto-Run mechanisms and Command Usurping techniques, are effectively controlled by ‘Macro Blocking’ policies. Conversely, Declarative attacks—such as Remote Template insertion and OLE (Object Linking and Embedding) object insertion—were shown to bypass vbaProject.bin analysis and macro-based warning mechanisms and to directly invoke the OS Shell. These findings indicate that analyzing Imperative attacks alone is insufficient to defend against Declarative attacks. Accordingly, this study suggests that establishing practical defensive capability requires a comprehensive strategy that includes not only VBA imperative code analysis but also the declarative structural analysis of OOXML, which is essential for practice-oriented security education.

Statistics
Cite this article