CVE-2017-0199 Practical exploitation ! (PoC)

Since several days the security community has been informed  thanks to FireEye publication of different malware campaigns (Dridex...) spreaded using CVE-2017-0199.
Several other publications were related to this vulnerability but no working exploit was published.
After digging a while I found the way to exploit this vulnerability in an easy way, which seems to be a bit different than the current works already done by other researchers.

I decided to publish this work as Microsoft officially published a patch on 11 of Apr 2017.

Technical background It is possible to include OLEv2 links to existing documents.  These objects (once included) will reflect the current content of the source link once loaded in the document. What is amazing is that if you try to include HTA link as an OLEv2 object it will be executed once (at the creation) but Winword will return an error like:

The problem in this case is that the HTA file will not be persistent (to make it persistent you would ha…