In the following example, the threat arrived as 2 files with “.doc” extensions (xxx1.doc and xxx2.doc); however one of the files is actually a Microsoft Access database containing the MS Jet exploit. The whole story is depicted in Figure 1.
When users open the MS Word file xxx1.doc, the MS Access file xxx2.doc is loaded through the data link properties. Then the shellcode in the xxx2.doc file runs (triggered by the MS Jet exploit in the same file) and decodes itself in typical fashion. The shell code launches WinWord.exe to open the innocent Word file embedded in “xxx1.doc”.