{
	"id": "bbca1ffc-faf1-4070-802e-68f2789b6811",
	"created_at": "2026-04-06T00:11:11.974325Z",
	"updated_at": "2026-04-10T03:20:43.882799Z",
	"deleted_at": null,
	"sha1_hash": "bd9eb07d9961e7ce8a0ad66bbc6c5cb83d8d0e45",
	"title": "Stealthy OpenDocument Malware Deployed Against Latin American Hotels | HP Wolf Security",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 855581,
	"plain_text": "Stealthy OpenDocument Malware Deployed Against Latin\r\nAmerican Hotels | HP Wolf Security\r\nBy Patrick Schläpfer\r\nPublished: 2022-07-15 · Archived: 2026-04-05 20:16:56 UTC\r\nIn late June 2022, HP Wolf Security isolated an unusually stealthy malware campaign that used OpenDocument\r\ntext (.odt) files to distribute malware. OpenDocument is an open, vendor-neutral file format compatible with\r\nseveral popular office productivity suites, including Microsoft Office, LibreOffice and Apache OpenOffice. As\r\ndescribed in a blog post by Cisco Talos, the campaign targets the hotel industry in Latin America. The targeted\r\nhotels are contacted by email with fake booking requests. In the case below, the attached document was\r\npurportedly a guest registration document.\r\nFigure 1 – Email lure making a booking request.\r\nInfection chain\r\nThe malicious document was sent as an email attachment. If the user opens the document, they are shown a\r\nprompt asking whether fields with references to other files should be updated. An Excel file opens if they click\r\n‘Yes’ to this cryptic message.\r\nhttps://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#\r\nPage 1 of 7\n\nFigure 2 – OpenDocument file asking to update fields in the document.\r\nAfterwards, the user is shown another prompt asking whether macros should be enabled or disabled. If the user\r\nallows macros, this triggers the infection chain, eventually leading to the execution of the malware payload,\r\nAsyncRAT.\r\nFigure 3 – Excel spreadsheet asking the user to enable macros.\r\nhttps://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#\r\nPage 2 of 7\n\nIt’s interesting to see OpenDocument files being used to distribute malware because we seldom see malware in the\r\nwild that uses this file format. Strikingly, the document used in the campaign is poorly detected by anti-virus\r\nscanners, with a 0% detection rate on VirusTotal as of 7 July.\r\nFigure 4 – OpenDocument VirusTotal detection.\r\nUnlike many malicious documents, analyzing the OpenDocument file reveals no hidden macros. However, the\r\ndocument references Object Linking and Embedding (OLE) objects hosted remotely, as shown in the styles.xml\r\nfile. The document references 20 documents hosted on the same domain, webnar[.]info.\r\nFigure 5 – OpenDocument referencing external document.\r\nWhen opening the document, these references are downloaded and opened. Based on our analysis, the same\r\ndocument is always downloaded and contains no macro code. However, the downloaded document contains ten\r\nembedded Excel spreadsheets. If the user chose to enable macros at the prompt in Figure 3, each of these Excel\r\nfiles opens and asks the user if macros should be activated. It is unclear what purpose is served by opening so\r\nmany duplicate files.\r\nhttps://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#\r\nPage 3 of 7\n\nFigure 6 – Externally referenced Word document contains 10 Excel files.\r\nThe Visual Basic for Applications (VBA) macro inside the Excel documents is lean, running a command using the\r\nmshta.exe (T1218.005) tool built into Windows that downloads and executes additional code from the web.\r\nhttps://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#\r\nPage 4 of 7\n\nFigure 7 – VBA macro code within the Excel document.\r\nAt this point, a complex chain of PowerShell, VBScript and batch scripts are started, finally decoding and\r\nexecuting AsyncRAT, an open-source remote access trojan written in C#. A scheduled task is created to make the\r\nmalware persistent on the infected PC. The task re-launches the malware every two hours. The significant part of\r\nthis infection chain is how the attacker evaded detection by relying on the OpenDocument format to load malware\r\nusing external OLE objects.\r\nFigure 8 – Complex infection chain leading to AsyncRAT.\r\nLinks to other campaign activity\r\nTo see if the same lure was used in other campaigns, we compared the images in the malicious document to a\r\ncorpus of historical malicious document images from the last three years.\r\nhttps://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#\r\nPage 5 of 7\n\nFigure 9 – Campaign using the same lure image.\r\nIn July, another malicious document was spotted in the wild that contained the logo of a legitimate organization\r\nmimicked by the threat actor. The main difference between the two campaigns is that the second one relied on\r\nMicrosoft Word documents instead of OpenDocument files. Interestingly, the detection rate of the malicious\r\nMicrosoft Word document is far higher than the OpenDocument file.\r\nFigure 10 – Detection rate of Microsoft Word document on VirusTotal.\r\nBoth campaigns used the same lure and targeted Latin American hotels by email. We found evidence of similar\r\nactivity that has been ongoing for several months based on the targeted organizations and lure languages\r\n(Portuguese and Spanish).\r\nConclusion\r\nAttackers are always hunting for stealthy ways of delivering malware that evades endpoint security. This\r\ncampaign illustrates how OpenDocument text files can be abused to deliver malware through external OLE\r\nreferences with extremely low detection rates. Documents that arrive from outside an organization should always\r\nbe treated with suspicion, especially if they try to load external content from the web – but in practice this isn’t\r\nalways straightforward advice to follow, especially in industries that rely on exchanging electronic documents\r\nbetween suppliers and clients. However, since HP Wolf Security works by isolating high-risk tasks like opening\r\nemail attachments inside secure micro-virtual machines that does not rely on detection, this stopped the malware\r\nin this campaign from infecting the host system.\r\nIndicator of Compromise\r\nOpenDocument files:\r\nRelação de Hospedes HPLUS.odt (English translation: “Guest List HPLUS.odt”):\r\n74d8bc5023f8d56e5b9fb46a5da5f1ce7e3e04826ca543274d7f6205866490b9\r\nhttps://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#\r\nPage 6 of 7\n\nCNPJ – HPLUS SISTEMA DE ENSINO LTDA.odt\r\nb13ce271e58dff54bccf92dbccc17414af168efc2d47d44554a883ca0b2e8e08\r\nMicrosoft Word document\r\n85007a9921ef08cae11e27944fcf0a1897c78dd9f26b6801f17b3b2f80d8f794\r\nExternally referenced Word document:\r\n598ee4b45b38e5d3485e0d6da9e4369c91c5e9981d869ab4745e4df1f9ac14b2\r\nEmbedded Excel files:\r\n2c783d33c0f86fd266efab7dc2f135e83de49472914fc4646f94f590104c0dfa\r\nb88fcd15369df470634ec02ee42392ac948520b4c55b7a7b2c5f979c94cd43d5\r\n6a9c9855bdef4e811610f78385c2deca1f898610de1827f55b92458d157a1788\r\nd46bad7b5f3bf546f70ea1e5caddd1974b06d1befa26f6bca54c98c1431e5276\r\n559eb36bf8ebcb34156972e3eb77bc2c103c9320ef09f31d945532deed73fb87\r\n46503673cf5a603f12cf01d7a6ef232a2bad791201e17d0b449e5e094c63bca3\r\n35e16501438467a0649210473d2527310575a302471778989568b1ef40766b46\r\n1d266e5c8036b48136d9585040c6f85cb61a8b8693997cc0e9ed88e55e1157ea\r\nc402e4b0fa8c7742d6ad086160a71d5d2b0e23d6531dd739076cc10922da5076\r\ndb76cf9623b1f2b1750d75fa2502af7e4f1f6050000bbcedef6379e9d5cb9408\r\nDomains hosting malware stages:\r\nwebnar[.]info\r\nwww.unimed-corporated[.]com\r\nSource: https://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#\r\nhttps://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://threatresearch.ext.hp.com/stealthy-opendocument-malware-targets-latin-american-hotels/#"
	],
	"report_names": [
		"#"
	],
	"threat_actors": [],
	"ts_created_at": 1775434271,
	"ts_updated_at": 1775791243,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd9eb07d9961e7ce8a0ad66bbc6c5cb83d8d0e45.pdf",
		"text": "https://archive.orkl.eu/bd9eb07d9961e7ce8a0ad66bbc6c5cb83d8d0e45.txt",
		"img": "https://archive.orkl.eu/bd9eb07d9961e7ce8a0ad66bbc6c5cb83d8d0e45.jpg"
	}
}