{
	"id": "76b372db-7c9e-44f6-be5e-597af3ffe3e1",
	"created_at": "2026-04-06T01:30:08.498471Z",
	"updated_at": "2026-04-10T03:24:29.614598Z",
	"deleted_at": null,
	"sha1_hash": "29a43ab6f13046d760a1bf86bcbdd8517440383c",
	"title": "SYNC-SCHEDULER : A DEDICATED DOCUMENT STEALER - CYFIRMA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4752820,
	"plain_text": "SYNC-SCHEDULER : A DEDICATED DOCUMENT STEALER -\r\nCYFIRMA\r\nArchived: 2026-04-06 01:06:05 UTC\r\nPublished On : 2024-03-27\r\nEXECUTIVE SUMMARY\r\nAt CYFIRMA, we are dedicated to providing current insights into prevalent threats and strategies utilized by malicious\r\nentities, targeting both organizations and individuals. This in-depth examination focuses on Sync-Scheduler stealer, a\r\nmalware that specifically targets documents, and has been designed with anti-analysis capabilities.\r\nThe research explores the evasion tactics employed by threat actors, while also illuminating the procedures involved in\r\ncrafting resilient malware payloads. Significantly, the report underscores the adaptive characteristics of these threats,\r\nemphasizing the imperative for enhanced security protocols and user vigilance to effectively mitigate associated risks.\r\nINTRODUCTION\r\nThis study provides a detailed overview of Sync-Scheduler, a potent malware written in C++ boasting defense evasion and\r\nanti-analysis capabilities. This paper explores the workings of Sync-Scheduler, how it avoids detection, and creates a strong\r\npayload. It highlights how these threats keep changing and the importance of better security and user awareness to stay safe\r\nfrom such harmful attacks.\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 1 of 18\n\nKEY FINDINGS\r\nSyns-Scheduler stealer is being distributed as an embedded component in Office document file.\r\nFile-nesting is used to hide the malware code within a PowerPoint presentation that is embedded in a Word\r\ndocument.\r\nMalware code is hidden under the page title of the first slide of the PowerPoint presentation.\r\nThe title of the PowerPoint presentation file contains a fraction of the malware code.\r\nMalware code is encoded in Base-64 and VBA macros leverage Task Scheduler to decode, generate, and execute the\r\nmalware.\r\nSync-Scheduler targets documents in the User directories e.g. Documents, Downloads and Desktop.\r\nThe target file types are Word documents, Excel spreadsheets, PowerPoint presentations, PDFs and ZIP files.\r\nIt copies the target files in the OneDrive folder under the User’s “AppData\\Roaming” directory and replaces the\r\nextension of the file with a string, which is specific to the filetype.\r\nExfiltrates the file over the network as form-data.\r\nSync-Scheduler is equipped with anti-analysis capabilities and terminates the process if the analysis environment is\r\ndetected.\r\nThe associated threat actor with Sync-Scheduler has been actively operating since at least November 2023.\r\nAn older version of the malware targets more file types including images, text, and other compressed archive\r\nformats.\r\nETLM ATTRIBUTION\r\nThe malware author attempted to conceal the primary malware binary under multiple layers of protection, as the Base-64\r\nencoded string, hidden under the page title text of the first slide of a PowerPoint presentation file, and this presentation file\r\nis, in turn, an embedded object in a Word document file which is being used as an initial vector to distribute the malware.\r\nSync-Scheduler (base-64 string) is in the page title text\r\nEmbedded VBA macros in the PowerPoint presentation file are used for decoding and execution of the malware that\r\nleverages the Task Scheduler for this purpose. It effectively conceals the malware in plain sight, enabling it to evade\r\ndetection.\r\nThe exfiltrated files sent to the URL “http[:]//syncscheduler[.]com/r3diRecT/redirector/proxy.php”, resolve to the IP address\r\n“146.70.157.120”. This URL has been active since at least November 2023. Although there are changes in the IP address,\r\nthe URL remains consistent:\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 2 of 18\n\nWe have identified another (older) version of the malware that communicates with the above URL and has similar\r\nfunctionality of being an information stealer:\r\nFile name: smsse.exe\r\nMD5: 004101dc501b9de8965e6b45debd07b6\r\nSHA256: 316e01b962bf844c3483fce26ff3b2d188338034b1dbd41f15767b06c6e56041\r\nTime of creation: November 09, 2023\r\nAlthough there are some differences, such as it queries for more locations and file types:\r\nTarget locations for older malware\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 3 of 18\n\nTarget filetypes of older malware\r\nThe domain syncscheduler[.]com has only been flagged by one security vendor while the IP address currently has no\r\ndetection yet:\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 4 of 18\n\nInterestingly, an attempt to browse the URL “http[:]//syncscheduler.com/r3diRecT/redirector/proxy.php”, using a web\r\nbrowser will redirect to the homepage of the Chinese Government website (www[.]gov[.]cn):\r\nNo known threat actor association has been identified with this Domain/IP address.\r\nThreat Landscape: From an external threat landscape standpoint, the presence of a document stealer malware, which has\r\nbeen active for at least five months, and exfiltrating data effectively to a consistent URL (C2) without being noticed\r\nindicates a concerning trend. CYFIRMA’s research team highlights the evolving tactics of threat actors, who are leveraging\r\nfile-nesting in Office document files to hide malware under multiple layers of protection, to avoid detection by the security\r\ntools. This shows why it’s important to always stay watchful and use better detection methods to fight against these\r\nchanging threats.\r\nANALYSIS OF SYNC-SCHEDULER STEALER\r\nFile Analysis\r\nFile Name China Navy First Training 2024(CN).docx\r\nFile Size 1.81 MB (1895387 bytes)\r\nSigned Not signed\r\nMD5 c1ab783d60cf05636eb4f72d17c6cf1d\r\nSHA-256 2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3\r\nDate Modified March 18, 2024\r\nA Word document file serves as the initial vector and a PPT (PowerPoint presentation) file is embedded in this Word\r\ndocument. The PPT file can be opened by double-clicking the image within the Word document:\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 5 of 18\n\nThe Word document with embedded PPT file\r\nEmbedded PPT file\r\nEmbedded PowerPoint Presentation File\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 6 of 18\n\nFile Name Microsoft_PowerPoint_97-2003_Presentation.ppt\r\nFile Size 5.26 MB (5519360 bytes)\r\nSigned Not signed\r\nMD5 39122a2bcf6c360271e8edb503bc2761\r\nSHA-256 203d60fe1ebbfafc835e082774ee56088273d9455fb12ac1de2c1be410cceeec\r\nThe PPT file contains 3 slides and the VBS macros:\r\nVBA macros contain 5 functions that are password-protected:\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 7 of 18\n\nProtected VBA macros\r\nThe PPT file has an unusual File Modification Date, and the title of the file is a long base-64 encoded string which is\r\nsuspicious:\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 8 of 18\n\nBEHAVIORAL \u0026 CODE ANALYSIS\r\nThe VBA Macros:\r\nThe first function is used to execute the following two functions:\r\n1st function\r\nThe following VBA macro code checks for a file at location “C:\\~Microsoft365\\support.txt”. If the file is not found, which\r\nis the case at the first instance of execution, it calls the function ‘Textbox¬reader’:\r\nIf the file exists (in the case of repeated execution), then it shows the following pop-up message:\r\nThe first slide of the PPT file has a hidden base-64 encoded string as a Page Title, and the title of the file contains a fraction\r\nof this string:\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 9 of 18\n\nThe Textbox_reader function calls the ‘Test’ function that creates a folder at “C:\\~Microsoft365” as a hidden system\r\ndirectory:\r\nTest function\r\nThen it creates a file support.txt and writes this base-64 string into this file:\r\nTextbox_reader function\r\nFinally, the ScheduleTask function creates a scheduled task windows_updates that will run only once, and the start time will\r\nbe 11:11. This task will decode the support.txt as wword.exe and execute it using the shell function in a hidden command\r\nprompt window:\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 10 of 18\n\nScheduleTask function\r\nThe Execution:\r\nThe VB macro drops the executable wword.exe in the C:\\~Microsoft365 directory:\r\nSync-Scheduler\r\nFile Name wword.exe\r\nFile Size 152.88 KB (156544 bytes)\r\nSigned Not signed\r\nMD5 df6b768247a9cdb5607819c79f02099d\r\nSHA-256 6e4a4d25c2e8f5bacc7e0f1c8b538b8ad61571266f271cfdfc14725b3be02613\r\nCreation Time January 08, 2024\r\nThe Task Scheduler executes the wword.exe in a hidden Windows command shell:\r\nTask Scheduler log\r\nThe malware creates a directory “C:\\Users\\user\\AppData\\Roaming\\OneDrive”:\r\nThen it attempts to establish a connection with the domain “syncscheduler.com” and sends the systems UID to C2:\r\nConnection to syncscheduler.com\r\nAt next stage of execution, the malware first enumerates the users/accounts on the system:\r\nAnd then starts querying for the files/folders in the User’s Downloads, Desktop and Documents directories:\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 11 of 18\n\nSearching for files/folders in User’s space\r\nThe Target is Document:\r\nAfter querying the files/folder in the User’s directory, the malware selects the files by comparing the extension of the file.\r\nThese include .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf and .zip files:\r\nComparing ‘zip’ file extension to identify its filetype\r\nWhen the target file is identified, it immediately copies the file to the OneDrive folder\r\n(C:\\Users\\user\\AppData\\Roaming\\OneDrive) for exfiltration, and after transferring the file to the C2 server, it is then deleted\r\nfrom the OneDrive folder, and continues the search for documents. The process of searching for, copying, and transmitting\r\ndocument files is conducted in a manner of one file at a time.\r\nWhile copying these files, it changes the file names and replaces the file extensions including the period character (‘.’) with\r\nthe string specific for the particular filetype:\r\nFile Extension Replacement String\r\n.doc X367\r\n.docx X946\r\n.xls X142\r\n.xlsx X375\r\n.ppt X593\r\n.pptx X842\r\n.pdf X567\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 12 of 18\n\n.zip X052\r\nReplacing files’ extension while coping them in the OneDrive folder\r\nAssembly instructions: Replacing file extension\r\nThe Exfiltration:\r\nAfter copying the files in the OneDrive folder (C:\\Users\\user\\AppData\\Roaming\\OneDrive), it starts exfiltration:\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 13 of 18\n\nExfiltrating copied .xls file using ‘HttpSendRequestw’\r\nThe network packets are sent in the POST request in the form of ‘form-data’ to the URL\r\n“http[:]//syncscheduler[.]com/r3diRecT/redirector/proxy.php” (IP address “146.70.157.120”):\r\nSending .doc file over network\r\nDefense Capabilities:\r\nThe malware looks for the presence of various analysis tools, including debuggers and virtual machine environments at the\r\ninitial stage of execution:\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 14 of 18\n\nAnalysis tools string in process memory\r\nAdditionally, it verifies if the specified DLLs are hooked to hide the analysis environment:\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 15 of 18\n\nverifying hooked DLLs in memory\r\nIf the malware identifies any analysis-elements within the execution environment, it triggers ‘FatalExit’ command, leading\r\nto the termination of the execution process.\r\nSYNC-SCHEDULER CAPABILITIES\r\nThe examination of the Sync-Scheduler yields valuable insights and unveils its operational characteristics. Drawing from\r\nthis analysis and the data extracted, the subsequent points outline the capabilities of this document stealer:\r\nExfiltrates documents, including Word, Excel spreadsheet, PowerPoint and PDF.\r\nAvoids detection using the File-Nesting and Embedded object in the Office document.\r\nAnti-analysis capabilities.\r\nUses obfuscation in the code.\r\nScans for analysis tools and debuggers.\r\nCommunicates with C2 and exfiltrates files over the network.\r\nTerminates if being debugged or analyzed.\r\nCONCLUSION\r\nIn summary, Sync-Scheduler is a dedicated document stealer that targets Word documents, Excel Spreadsheets, PowerPoint\r\npresentations, PDFs and ZIP compress files. The malware is written in C++ and equipped with anti-analysis and defense\r\nevasion techniques. It uses obfuscation in its code and terminates itself if it detects an analysis environment.\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 16 of 18\n\nTo reduce the risks associated with Sync-Scheduler stealer malware, users should exercise caution when opening files from\r\nuntrustworthy sources or clicking on unfamiliar links, particularly those offering questionable software or content.\r\nFurthermore, deploying robust cybersecurity measures, including utilizing reputable antivirus software, ensuring software is\r\nregularly updated, and staying vigilant against social engineering tactics, can significantly bolster protection against such\r\nthreats. Education and awareness campaigns are also vital in equipping individuals with the knowledge to recognize and\r\nevade such malware, ultimately fostering a more resilient and secure online ecosystem.\r\nINDICATORS OF COMPROMISE\r\nS/N Indicators Type Context\r\n1 c1ab783d60cf05636eb4f72d17c6cf1d MD5\r\nChina Navy First Training\r\n2024(CN).docx\r\n2 2027a5acbfea586f2d814fb57a97dcfce6c9d85c2a18a0df40811006d74aa7e3\r\nSHA-256China Navy First Training\r\n2024(CN).docx\r\n3 39122a2bcf6c360271e8edb503bc2761 MD5\r\nmicrosoft_powerpoint_97-\r\n2003_presentation.ppt\r\n4 203d60fe1ebbfafc835e082774ee56088273d9455fb12ac1de2c1be410cceeec\r\nSHA-256microsoft_powerpoint_97-\r\n2003_presentation.ppt\r\n5 df6b768247a9cdb5607819c79f02099d MD5 wword.exe\r\n6 6e4a4d25c2e8f5bacc7e0f1c8b538b8ad61571266f271cfdfc14725b3be02613\r\nSHA-256\r\nwword.exe\r\n7 004101dc501b9de8965e6b45debd07b6 MD5 smsse.exe\r\n8 316e01b962bf844c3483fce26ff3b2d188338034b1dbd41f15767b06c6e56041\r\nSHA-256\r\nsmsse.exe\r\n9 146[.]70[.]157[.]120\r\nIP\r\naddress\r\nC2\r\n10 http[:]//syncscheduler[.]com/r3diRecT/redirector/proxy[.]php URL C2\r\nMITRE ATT\u0026CK TACTICS AND TECHNIQUES\r\nNo. Tactic Technique\r\n1 Reconnaissance (TA0043) T1592:  Gather Victim Host Information\r\n2 Execution (TA0002) T1059.003: Windows Command Shell\r\n    T1053.005: Scheduled Task\r\n    T1024.002:  Malicious File\r\n3 Defense Evasion (TA0005) T1622:  Debugger Evasion\r\n    T1497: Virtualization/Sandbox Evasion\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 17 of 18\n\nT1140:  Deobfuscate/Decode Files or Information\r\n    T1564.001:  Hidden Files and Directories\r\n    T1070.004: File Deletion\r\n    T1027.009:  Embedded Payloads\r\n4 Discovery (TA0007) T1622: Debugger Evasion\r\n    T1497: Virtualization/Sandbox Evasion\r\n    T1083: File and Directory Discovery\r\n5 Command and Control (TA0011) T1071.001: Web Protocols\r\n6 Exfiltration (TA0010) T1041:  Exfiltration Over C2 Channel\r\nRecommendations\r\nImplement threat intelligence to proactively counter the threats associated with Sync-Scheduler stealer malware.\r\nTo protect the endpoints, use robust endpoint security solutions for real-time monitoring and threat detection such as\r\nAntimalware security suit and host-based intrusion prevention system.\r\nContinuous monitoring of the network activity with NIDS/NIPS and using the web application firewall to filter/block\r\nthe suspicious activity provides comprehensive protection from compromise due to encrypted payloads.\r\nConfigure firewalls to block outbound communication to known malicious IP addresses and domains associated with\r\nSync-Scheduler stealer command and control servers.\r\nImplement behavior-based monitoring to detect unusual activity patterns, such as suspicious processes attempting to\r\nmake unauthorized network connections.\r\nEmploy application whitelisting to allow only approved applications to run on endpoints, preventing the execution of\r\nunauthorized or malicious executables.\r\nConducting vulnerability assessment and penetration testing on the environment periodically helps in hardening the\r\nsecurity by finding the security loopholes, followed by remediation process.\r\nThe use of security benchmarks to create baseline security procedures and organizational security policies is also\r\nrecommended.\r\nDevelop a comprehensive incident response plan that outlines steps to take in case of a malware infection, including\r\nisolating affected systems and notifying relevant stakeholders.\r\nSecurity awareness and training programs help to protect from security incidents, such as social engineering attacks.\r\nOrganizations should remain vigilant and continuously adapt their defenses to mitigate the evolving threats posed by\r\nSync-Scheduler stealer malware.\r\nUpdate security patches which can reduce the risk of potential compromise.\r\nSource: https://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nhttps://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.cyfirma.com/research/sync-scheduler-a-dedicated-document-stealer/"
	],
	"report_names": [
		"sync-scheduler-a-dedicated-document-stealer"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439008,
	"ts_updated_at": 1775791469,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/29a43ab6f13046d760a1bf86bcbdd8517440383c.pdf",
		"text": "https://archive.orkl.eu/29a43ab6f13046d760a1bf86bcbdd8517440383c.txt",
		"img": "https://archive.orkl.eu/29a43ab6f13046d760a1bf86bcbdd8517440383c.jpg"
	}
}