Reverse Engineering of Word Document Honeyfiles

 

When threat actors gain initial access to a targeted computer or organizational network, they typically search for sensitive documents most often Excel files, Word documents, or PDFs. In response, security researchers create honeyfiles that mimic these types of documents to track or detect cyber intrusions within the network. These decoy documents are used as traps to catch unauthorized access attempts.

Now, you might think that using tools like oleid, olevba, oleobj, olemeta, or even exiftool would help analyze these files. However, in this particular case, they’re often not useful :)

So instead, I’ll guide you through a simpler but more stealthy method to extract the token embedded in a honeypot document also known as a canary token.

I’ll share screenshot to better demonstrate why oletools aren't effective in our case.

So, what can actually be useful in our case? Surprisingly, the answer is something as simple as 7-Zip, WinRAR, and Notepad! Yes, really sometimes working as a security researcher and discovering interesting things is more about having the right mindset than relying on a complex set of tools. :)

Alright, let’s begin the actual operation. First, open WinRAR and navigate to the directory where the Word document honeyfile is located. Once you find the file, simply right-click on it and choose “Extract to…” to unpack its contents. After extraction, go into the newly created folder to explore its internal structure.

Result :

Now, open the “word” folder that appeared after extraction. Inside it, navigate to the “_rels” subfolder. In that folder, locate the file named footer2.xml.rels, right-click on it, and choose “Edit with Notepad.” Once opened, take a look you’ll see the hidden value or token embedded inside, which is part of how the honeyfile (or canarytoken) works. :)

Result :