Threat Research

Word Documents Disguised as Normal MS Office URLs Being Distributed – ASEC BLOG

Securonix

Malware disguised as Word documents is being distributed via KakaoTalk group chats, using Template Injection to pull remote content from cleverly disguised URLs. Users are urged to verify sources and keep Office updated to avoid infection. #Kimsuky #TemplateInjection

Keypoints

  • The attack uses OOXML Word documents and relies on the Template Injection feature to load external content.
  • The external template is referenced via a Relationships entry with an attachedTemplate relationship and an External URL target.
  • Malicious domains and URLs are disguised to resemble legitimate Office-related domains (e.g., ms-office.services, ms-offices.com, offices.word-template.net).
  • Filenames of the malicious Word documents reference topics like North Korea, Xi Jinping’s Third Term, or diplomatic security, and are distributed across multiple days.
  • Indicators of Compromise include a specific MD5 hash and several C2/download URLs associated with the campaign.
  • Users are advised to update to the latest Office version and confirm file senders before opening forwarded documents from unknown sources.

MITRE Techniques

  • [T1221] Template Injection – Word loads an external template via an attachedTemplate relationship to fetch remote content. Quote: [‘The Template Injection feature was used in the attack.’]
  • [T1573] Masquerading – The attacker disguises the external URL to resemble legitimate domains. Quote: [‘the address used for the external URL has become very similar to the normal URL.’]
  • [T1105] Ingress Tool Transfer – The document downloads additional payload from remote URLs (e.g., templates-for-word/download?id=…). Quote: [‘hxxps://ms-office[.]services/templates-for-word/download?id=79B9●●●I9RWT’]

Indicators of Compromise

  • [MD5] MD5 hash of the malicious file – d698fccf14f670595442155395f42642
  • [Domain] Command-and-control / download domains – ms-office[.]services, ms-offices[.]com, offices.word-template[.]net, schemas.openxmlformat[.]org
  • [URL] Download links used in the attack – hxxps://ms-office[.]services/templates-for-word/download?id=79B9●●●I9RWT, hxxps://ms-office[.]services/templates-for-word/download?id=V2BX●●●WE1A
  • [URL] Additional disguised/related domains – hxxps://ms-offices[.]com/templates-for-word/download?id=ZQ9H●●●YP8G
  • [File name] Names resembling geopolitical topics (e.g., International Legal Review of the Northern Limit Line Issue and.docx)

Read more: https://asec.ahnlab.com/en/42554/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint