technique
https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
Arntz, P. (2015, July 22). Introduction to Alternate Data Streams. Retrieved March 21, 2018.
technique
https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
technique
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-s
SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
technique
https://attack.mitre.org/techniques/T1564
technique
https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-fu
Cimpanu, C. (2017, December 15). Microsoft Disables DDE Feature in Word to Prevent Further Malware Attacks. Retrieved December 19, 2017.
technique
https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee
Nelson, M. (2018, January 29). Reviving DDE: Using OneNote and Excel for Code Execution. Retrieved February 3, 2018.
technique
https://www.contextis.com/blog/comma-separated-vulnerabilities
Kettle, J. (2014, August 29). Comma Separated Vulnerabilities. Retrieved November 22, 2017.
technique
https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021
Microsoft. (2017, December 12). ADV170021 - Microsoft Office Defense in Depth Update. Retrieved February 3, 2018.
technique
https://technet.microsoft.com/library/security/4053440
Microsoft. (2017, November 8). Microsoft Security Advisory 4053440 - Securely opening Microsoft Office documents that contain Dynamic Data Exchange (DDE) fields. Retrieved November 21, 2017.
technique
https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/
NVISO Labs. (2017, October 11). Detecting DDE in MS Office documents. Retrieved November 21, 2017.