Cryptocurrency Mining Scripts Can Run Inside Word Documents

Security analysts from Votiro and experts at Bleeping Computer have warned that hidden cryptocurrency miners can operate not only on websites and through browsers, but also inside Word documents. Malicious JavaScript code can be executed within Word files because Microsoft Word now allows users to embed videos directly into document files.

According to experts from the Israeli company Votiro, a hidden mining script can be integrated into a document along with a video iframe, allowing Monero to be mined without the user’s knowledge. Specialists explain that an iframe can be embedded from almost any source, meaning there is no whitelist of “trusted” services or domains. Even worse, the resulting popup acts as a stripped-down version of Internet Explorer.

As a result, an attacker can host a video on their own domain and ensure that, along with the video, a cryptojacking script for mining is embedded in the document. When a victim opens the malicious Word document and plays the embedded video, Internet Explorer will also launch the Monero mining script. Researchers have created two proof-of-concept Word documents demonstrating this attack in action.

Bleeping Computer experts note that, fortunately, this type of attack is unlikely to be profitable for cybercriminals. Hidden mining only generates significant profit if users spend a long time on an infected site. That’s why cryptojacking scripts are most often found on adult sites, “pirate” streaming resources, and similar platforms. In this case, mining time is limited, and the attacker must first convince the user to open the Word document and play the video.

However, Votiro experts are concerned that the issue they discovered could be used for more than just hidden mining. They suggest that attackers could use embedded content to add phishing pages directly into Word files, for example, by making video playback available only to authorized users—thus tricking victims into entering their account credentials.

The researchers have notified Microsoft engineers about the potential problems, but the company has, as expected, refused to acknowledge this functionality as problematic. According to tests conducted by Bleeping Computer, after launching an embedded video in Word, many antivirus solutions detect the mining script and block its operation. So, if criminals do start exploiting this feature for attacks, at least some users will be protected.