Stealthy OpenDocument Malware Deployed Against Latin American Hotels

In late June 2022, HP Wolf Security isolated an unusually stealthy malware campaign that used OpenDocument text (.odt) files to distribute malware. OpenDocument is an open, vendor-neutral file format compatible with several popular office productivity suites, including Microsoft Office, LibreOffice and Apache OpenOffice. As described in a blog post by Cisco Talos, the campaign targets the hotel industry in Latin America. The targeted hotels are contacted by email with fake booking requests. In the case below, the attached document was purportedly a guest registration document.

Figure 1 – Email lure making a booking request.

Infection chain

The malicious document was sent as an email attachment. If the user opens the document, they are shown a prompt asking whether fields with references to other files should be updated. An Excel file opens if they click ‘Yes’ to this cryptic message.

Figure 2 – OpenDocument file asking to update fields in the document.

Afterwards, the user is shown another prompt asking whether macros should be enabled or disabled. If the user allows macros, this triggers the infection chain, eventually leading to the execution of the malware payload, AsyncRAT.

Figure 3 – Excel spreadsheet asking the user to enable macros.

It’s interesting to see OpenDocument files being used to distribute malware because we seldom see malware in the wild that uses this file format. Strikingly, the document used in the campaign is poorly detected by anti-virus scanners, with a 0% detection rate on VirusTotal as of 7 July.

Figure 4 – OpenDocument VirusTotal detection.

Unlike many malicious documents, analyzing the OpenDocument file reveals no hidden macros. However, the document references Object Linking and Embedding (OLE) objects hosted remotely, as shown in the styles.xml file. The document references 20 documents hosted on the same domain, webnar[.]info.

Figure 5 – OpenDocument referencing external document.

When opening the document, these references are downloaded and opened. Based on our analysis, the same document is always downloaded and contains no macro code. However, the downloaded document contains ten embedded Excel spreadsheets. If the user chose to enable macros at the prompt in Figure 3, each of these Excel files opens and asks the user if macros should be activated. It is unclear what purpose is served by opening so many duplicate files.

Figure 6 – Externally referenced Word document contains 10 Excel files.

The Visual Basic for Applications (VBA) macro inside the Excel documents is lean, running a command using the mshta.exe (T1218.005) tool built into Windows that downloads and executes additional code from the web.

Figure 7 – VBA macro code within the Excel document.

At this point, a complex chain of PowerShell, VBScript and batch scripts are started, finally decoding and executing AsyncRAT, an open-source remote access trojan written in C#. A scheduled task is created to make the malware persistent on the infected PC. The task re-launches the malware every two hours. The significant part of this infection chain is how the attacker evaded detection by relying on the OpenDocument format to load malware using external OLE objects.

Figure 8 – Complex infection chain leading to AsyncRAT.

Links to other campaign activity

To see if the same lure was used in other campaigns, we compared the images in the malicious document to a corpus of historical malicious document images from the last three years.

Figure 9 – Campaign using the same lure image.

In July, another malicious document was spotted in the wild that contained the logo of a legitimate organization mimicked by the threat actor. The main difference between the two campaigns is that the second one relied on Microsoft Word documents instead of OpenDocument files. Interestingly, the detection rate of the malicious Microsoft Word document is far higher than the OpenDocument file.

Figure 10 – Detection rate of Microsoft Word document on VirusTotal.

Both campaigns used the same lure and targeted Latin American hotels by email. We found evidence of similar activity that has been ongoing for several months based on the targeted organizations and lure languages ​​(Portuguese and Spanish).


Attackers are always hunting for stealthy ways of delivering malware that evades endpoint security. This campaign illustrates how OpenDocument text files can be abused to deliver malware through external OLE references with extremely low detection rates. Documents that arrive from outside an organization should always be treated with suspicion, especially if they try to load external content from the web – but in practice this isn’t always straightforward advice to follow, especially in industries that rely on exchanging electronic documents between suppliers and clients. However, since HP Wolf Security works by isolating high-risk tasks like opening email attachments inside secure micro-virtual machines that does not rely on detection, this stopped the malware in this campaign from infecting the host system.

Indicator of Compromise

OpenDocument files:
Relação de Hospedes HPLUS.odt (English translation: “Guest List HPLUS.odt”):

Microsoft Word document

Externally referenced Word document:

Embedded Excel files:

Domains hosting malware stages:

Leave a Comment