I just stumbled across an interesting article about an upcoming talk at BlackHat. They dub the technique “GIFAR” where they rename a java file as a gif but it still executes as a jar.
CyberWART and G2 have used similar techniques. One of my favorites is to create a html file and rename it to a .doc extension. The file will open, and if done correctly, will look exactly like a MS Word document. However, there are a couple nice perks.
First, some html commands will work. You can embed an hotlink to an image on the web. The computer will automatically pull it. This is useful for SPAM and such.
Additionally, you can embed ActiveX. The ActiveX will autoexecute in the context of the localhost — which is lovely. We’ve been fuzzing those controls. 
AWESOME STUFF
thanx so much
Prove it. for spaming a site and having very little to say, you do sound pretty stupid. there are security features like Security Settings for AX controls in Word. and the same goes for the HTML pull down, it only allows picture pull downs on trusted or “ok’d” docs…. so if you click ok its your own stupid fault.
Just FYI on ActiveX yes a user will be presented with a signed control and will have to click to use it. In my experience they do so over 60% of the time. I’m good with that.
As to Word documents, if the macro is signed it will execute in default setting without prompting. CANVAS has this feature built in.