February 5, 2021 in LOLBins

I was toying around with the Office application MSOXMLED.EXE and noticed it handles URLs. Thanks to that it can be used to download file to internet cache folder as shown below:

There are at least two different ways to invoke it:

MSOXMLED.EXE /verb open [URL]
MSOXMLED.EXE /verb [anything] /genverb open [URL]

c:\Users\[user]\AppData\Local\Microsoft\Windows\INetCache\Low\IE\[random]\[file]

The caveat is that it seems to be using Internet Explorer as a proxy, hence the iexplore.exe will be spawn. As such it doesn’t work on systems where IE is removed (thx to @NathanMcNulty for confirming this and reminding me about two different paths below).

The actual MSOXMLED.EXE binary is located in these two places (64- and 32-bit version):

• c:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE
• c:\Program Files (x86)\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLED.EXE

For anyone wondering,