Infostealer Embedded in a Word Document


When attackers design malicious documents, one of their challenges is to make the potential victim confident to perform dangerous actions: click on a link, disable a security feature, etc. The best example is probably VBA macros in Microsoft Office documents. Disabled by default, the attacker must make the user confident to enable them by clicking on the “yellow ribbon” on top of the document.

Yesterday I found a malicious document that implements another approach. The SHA256 is c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12 and the VT score is 27/59. The document has an embedded object:

remnux@remnux:/MalwareZoo/20230503$ c2d55f54c26d6f73908c7138e999fadcb9a8617fea8f56cee943f93956adfa12.doc
  1:       113 '\x01CompObj'
  2:       280 '\x05DocumentSummaryInformation'
  3:       408 '\x05SummaryInformation'
  4:      2607 '1Table'
  5:      4096 'Data'
  6:        76 'ObjectPool/_1567188875/\x01CompObj'
  7: O  674329 'ObjectPool/_1567188875/\x01Ole10Native'
  8:         6 'ObjectPool/_1567188875/\x03ObjInfo'
  9:      4142 'WordDocument'