A possible VBS transport?

[timothy.miller () AFIWC01 AF MIL (Timothy J. Miller)]

I noticed something while screwing around on some web sites last
night.

One site used a frameset with a null frame, which I've found to be not
uncommon.  However, when looking at this file (served up dutifully as
text/html), it contained a basic HTML header (essentially a BASE HREF
tag) and the remainder was binary data that turned out to be a Word 97
document with a script that opened a popup containing a bunch of
click-through ads (again, not uncommon).

Of course, Word happily renders HTML.  Also of course, OLE allows the
browser to invoke Office components to display embedded Office files
(if you recall the Russian New Year exploit from a couple of years
ago).

My thinking turns to what could do with any kind of script embedded in
this HTML-cum-Word document.  Could this be used to transport
macro/VBS viruses?  It has the potential to evade the user-side
decision to open an attachment.  Personally, I've never seen this kind
of thing before, but I typically keep myself clear of MS-related
activities.

Has anyone done any work in this regard, or seen anything related?  Or
am I completely off-base?