<\/p>\n
You probably know what are the Russian or Matryoshka dolls. It’s a set\u00a0of wooden\u00a0dolls\u00a0of decreasing size placed one inside another[1<\/a>]. I found an interesting Microsoft Office document\u00a0that behaves like this. There was a big decrease in malicious Office documents\u00a0due to the\u00a0new Microsoft rules to prevent automatic VBA macros execution. But they remain used, especially RTF documents that exploits the good %%cve:2017-11882%%.<\/p>\n The document (SHA256:8437cf40bdd8b005b239c163e774ec7178195f0b80c75e8d27a773831479f68f) that I found uses\u00a0another technique to prevent the RTF document to be spread directly to the victim. The RTF document is placed into the OOXML document:<\/p>\n The file is referenced in the Word document:<\/p>\n The RTF document contains a shellcode that triggers the Equation Editor exploit. The next payload is C:Usersuser01AppDataLocalTemplicense.ini. It’s a DLL (SHA256:d8ed658cc3d0314088cf8135399dbba9511e7f117d5ec93e6acc757b43e58dbc) that is invoked with the following function: IEX<\/p>\n You can see the special characters used as parameters to the function here:<\/p>\n This DLL is pretty well obfuscated, I’l still having a look at it but the malware family is not sure… Maybe another Formbook.<\/p>\n [1]\u00a0https:\/\/en.wikipedia.org\/wiki\/Matryoshka_doll<\/a><\/p>\n Xavier Mertens (@xme) (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n \t\nremnux@remnux:~\/malwarezoo\/20251113$ zipdump.py mexico_november_po.docx\nIndex Filename Encrypted Timestamp\n1 _rels\/ 0 2025-10-22 21:55:10\n2 docProps\/ 0 2025-10-22 21:55:10\n3 word\/ 0 2025-11-12 02:58:50\n4 [Content_Types].xml 0 2025-10-22 21:55:22\n5 docProps\/app.xml 0 1980-01-01 00:00:00\n6 docProps\/core.xml 0 1980-01-01 00:00:00\n7 word\/_rels\/ 0 2025-10-22 21:55:10\n8 word\/theme\/ 0 2025-10-22 21:55:10\n9 word\/document.xml 0 2025-11-12 02:59:04\n10 word\/endnotes.xml 0 1980-01-01 00:00:00\n11 word\/Engaging.rtf 0 2025-11-12 02:58:34<\/span>\n12 word\/fontTable.xml 0 1980-01-01 00:00:00\n13 word\/footer1.xml 0 1980-01-01 00:00:00\n14 word\/footnotes.xml 0 1980-01-01 00:00:00\n15 word\/numbering.xml 0 1980-01-01 00:00:00\n16 word\/settings.xml 0 1980-01-01 00:00:00\n17 word\/styles.xml 0 1980-01-01 00:00:00\n18 word\/webSettings.xml 0 1980-01-01 00:00:00\n19 word\/theme\/theme1.xml 0 1980-01-01 00:00:00\n20 word\/_rels\/document.xml.rels 0 2025-11-12 02:58:58\n21 word\/_rels\/settings.xml.rels 0 1980-01-01 00:00:00\n22 _rels\/.rels 0 1980-01-01 00:00:00<\/pre>\n\nremnux@remnux:~\/malwarezoo\/20251113$ zipdump.py mexico_november_po.docx -s 20 -d | grep Engaging.rtf\n<Relationships xmlns=\"http:\/\/schemas.openxmlformats.org\/package\/2006\/relationships\">\n...\n<Relationship Type=\"http:\/\/schemas.openxmlformats.org\/officeDocument\/2006\/relationships\/aFChunk\" Target=\"\/word\/Engaging.rtf<\/span>\" Id=\"YAjq8U<\/span>\"\/>\n<\/Relationships>\n\nremnux@remnux:~\/malwarezoo\/20251113$ zipdump.py mexico_november_po.docx -s 9 -d | grep YAjq8U\n<w:document xmlns:wpc=\u201chttp:\/\/schemas.microsoft.com\/office\/word\/2010\/wordprocessingCanvas\u201d \n...\n<w:body><w:altChunk r:id=\u201cYAjq8U<\/span>\u201d\/>\n...\n<\/w:document><\/pre>\n\nCmD.exe \/C rundll32 %tmp%license.ini,IEX Ax12x0cC<\/pre>\n
![\"\"](\"https:\/\/i0.wp.com\/isc.sans.edu\/diaryimages\/images\/isc-20251114-1.png?ssl=1\")
<\/p>\n
\nXameco
\nSenior ISC Handler – Freelance Cyber Security Consultant
\nPGP Key<\/a><\/p>\n
\n
<\/BR><\/p>\n