This technique does not rely on VBA macros and requires the use of the .docx format (for Word). This format is essentially a ZIP container with XML files, as can be seen with zipdump (a tool to analyze ZIP files):
Searching for keyword webVideoPr with an ad-hoc YARA rule can help identifying documents with online videos:
The embedded payload in Cymulate’s proof of concept document is a Windows executable (PE file) encoded in BASE64. As such, it’s easy to extract from document.xml and decode with a tool like base64dump:
We created two ClamAV rules to detect documents with online videos:
One is for documents with online videos, while the other one is for documents with online videos that use msSaveOrOpenBlob to launch arbitrary code.