{"id":197198,"date":"2022-07-19T11:15:40","date_gmt":"2022-07-19T09:15:40","guid":{"rendered":"http:\/\/sftarticles.wpenginepowered.com\/en\/?p=197198"},"modified":"2025-07-01T20:34:36","modified_gmt":"2025-07-02T03:34:36","slug":"malware-scams-popping-up-in-opendocuments","status":"publish","type":"post","link":"https:\/\/cms-articles.softonic.io\/en\/malware-scams-popping-up-in-opendocuments\/","title":{"rendered":"Malware scams popping up in OpenDocuments"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">OpenOffice is a great free alternative to <a href=\"https:\/\/microsoft-365.en.softonic.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft 365<\/a> and <a href=\"https:\/\/google-workspace.en.softonic.com\/web-apps\" target=\"_blank\" rel=\"noreferrer noopener\">Google Workspace<\/a>. It is a fully featured productivity suite of programs complete with a word processor, spreadsheet app, database program and more. Furthermore, you can download the apps, so you don\u2019t even need access to the internet to work them. The OpenDocument format is kind of like OpenOffice\u2019s file format, but as you\u2019d imagine from the name it has been built to work across a variety of different programs. This broad compatibility, however, has attracted scammers as today <strong>we are here today to warn you about a new malware scam found in infected OpenDocuments<\/strong>.<\/p>\n\n\n<div class=\"sc-card-program\">\r\n  <div class=\"sc-card-program__body\">\r\n    <div class=\"sc-card-program__row clearfix\">\r\n      <div class=\"sc-card-program__col-logo\">\r\n        <img decoding=\"async\" class=\"sc-card-program__img\" alt=\"OpenOffice\" src=\"https:\/\/images.sftcdn.net\/images\/t_app-logo-xl,f_auto\/p\/09b0478a-96d2-11e6-a3af-00163ec9f5fa\/2432148867\/openoffice-logo.png\" width=\"100px\" height=\"100px\">\r\n      <\/div>\r\n      <div class=\"sc-card-program__col-title\">\r\n        <span class=\"sc-card-program__title\">OpenOffice<\/span>\r\n        <a class=\"sc-card-program__button sc-card-program-internal\" href=\"https:\/\/openoffice.en.softonic.com\/\" target=\"_self\" rel=\"noopener noreferrer\">Download Now<\/a>\r\n      <\/div>\r\n      <div class=\"sc-card-program__col-rating\">\r\n        <svg class=\"rating-score__content\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" version=\"1.1\" x=\"0\" y=\"0\" viewbox=\"0 0 50 50\" enable-background=\"new 0 0 50 50\" xml:space=\"preserve\"><path class=\"rating-score__background rating-score--good\" fill=\"none\" stroke-width=\"6\" stroke-miterlimit=\"10\" d=\"M40 40c8.3-8.3 8.3-21.7 0-30s-21.7-8.3-30 0 -8.3 21.7 0 30\"><\/path><path class=\"rating-score__value rating-score__value--0\" fill=\"none\" stroke-width=\"6\" stroke-dashoffset=\"0\" stroke-miterlimit=\"10\" d=\"M40 40c8.3-8.3 8.3-21.7 0-30s-21.7-8.3-30 0 -8.3 21.7 0 30\"><\/path><text class=\"rating-score__number\" content=\"\" text-anchor=\"middle\" transform=\"matrix(1 0 0 1 25 31.0837)\" data-auto=\"app-user-score\"><\/text><\/svg>\r\n      <\/div>\r\n    <\/div>\r\n    <div class=\"sc-card-program__row\">\r\n      <span class=\"sc-card-program__description\"><\/span>\r\n    <\/div>\r\n    <div class=\"sc-card-program__row\">\r\n      <img decoding=\"async\" class=\"sc-card-program__bigpic\" src=\"\" onerror=\"this.style.display='none'\">\r\n    <\/div>\r\n    <a class=\"sc-card-program__link track-link sc-card-program-internal\" href=\"https:\/\/openoffice.en.softonic.com\/\" target=\"_self\" rel=\"noopener noreferrer\"><\/a>\r\n  <\/div>\r\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">HP\u2019s in-house threat research team, HP Wolf Security has <a href=\"https:\/\/threatresearch.ext.hp.com\/stealthy-opendocument-malware-targets-latin-american-hotels\/\" target=\"_blank\" rel=\"noreferrer noopener\">announced<\/a> that they have been tracking a <strong>phishing scam involving OpenDocument text files<\/strong> since June.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The scammers have been d<strong>istributing these infected files, disguised guest registration documents, to a series of hotels in Latin America<\/strong>. According to HP Wolf Security, when the victims open these files, they are prompted with a message to update fields from other files and clicking to confirm this <strong>cryptic message opens up an Excel file<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">From there, <strong>the user is asked to activate macros<\/strong>, and when they do that, the trouble really starts. Macros have long been <a href=\"https:\/\/microsoft-office-2007.en.softonic.com\/articles\/microsoft-announces-its-disabling-macros-to-protect-office-apps-from-malware-attacks\" target=\"_blank\" rel=\"noreferrer noopener\">a security vulnerability in Excel<\/a>, so much so that Microsoft has moved to disable them recently in a bid to close it off. Antivirus programs usually catch infected Macros, but this isn\u2019t the case inside of OpenDocuments. HP Wolf Security says:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>\u201cUnlike many malicious documents, analyzing the OpenDocument file reveals no hidden macros. However, the document references Object Linking and Embedding (OLE) objects hosted remotely, as shown in the styles.xml file. The document references 20 documents hosted on the same domain, webnar[.]info.\u201d<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It is unusual for hackers to use OpenDocuments in this way, but it does seemingly offer clear advantages to their cause. <strong>Once the victim as activated the Macros, they get infected with AsyncRAT<\/strong>, a remote access trojan malware. The analysts go to say:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>\u201cDocuments that arrive from outside an organization should always be treated with suspicion, especially if they try to load external content from the web \u2013 but in practice this isn\u2019t always straightforward advice to follow, especially in industries that rely on exchanging electronic documents between suppliers and clients.\u201d<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This may be difficult in practice for hoteliers or other public-facing companies to follow, but if you are running a hotel reservations department, you could do worse than printing off a copy of our <a href=\"https:\/\/en.softonic.com\/articles\/how-to-detect-fakescam-emails-and-avoid-phishing-attacks-hi-res-version\" target=\"_blank\" rel=\"noreferrer noopener\">anti-phishing infographic<\/a> and putting it up in your office.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Image via: <a href=\"https:\/\/threatresearch.ext.hp.com\/stealthy-opendocument-malware-targets-latin-american-hotels\/\" target=\"_blank\" rel=\"noreferrer noopener\">HP Threat Research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>OpenOffice is a great free alternative to Microsoft 365 and Google Workspace. It is a fully featured productivity suite of programs complete with a word processor, spreadsheet app, database program and more. Furthermore, you can download the apps, so you don\u2019t even need access to the internet to work them. The OpenDocument format is kind &hellip; <a href=\"https:\/\/cms-articles.softonic.io\/en\/malware-scams-popping-up-in-opendocuments\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Malware scams popping up in OpenDocuments&#8221;<\/span><\/a><\/p>\n","protected":false},"author":9073,"featured_media":197202,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":"","wpcf-pageviews":1},"categories":[1015],"tags":[2648],"usertag":[],"vertical":[],"content-category":[],"class_list":["post-197198","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-app-subdomain-redirectionopenoffice"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/197198","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/users\/9073"}],"replies":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/comments?post=197198"}],"version-history":[{"count":1,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/197198\/revisions"}],"predecessor-version":[{"id":323505,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/posts\/197198\/revisions\/323505"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/media\/197202"}],"wp:attachment":[{"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/media?parent=197198"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/categories?post=197198"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/tags?post=197198"},{"taxonomy":"usertag","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/usertag?post=197198"},{"taxonomy":"vertical","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/vertical?post=197198"},{"taxonomy":"content-category","embeddable":true,"href":"https:\/\/cms-articles.softonic.io\/en\/wp-json\/wp\/v2\/content-category?post=197198"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}