{
	"id": "34d99e70-a940-4c17-bc2f-c8ace71b3292",
	"created_at": "2026-04-06T00:10:12.611644Z",
	"updated_at": "2026-04-10T03:21:20.96104Z",
	"deleted_at": null,
	"sha1_hash": "40313d33d2be54be7e06968277eb83b18bd99f22",
	"title": "LockBit Ransomware Distributed Via Word Files Disguised as Resumes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2676063,
	"plain_text": "LockBit Ransomware Distributed Via Word Files Disguised as\r\nResumes\r\nBy ATCP\r\nPublished: 2024-01-14 · Archived: 2026-04-05 22:01:00 UTC\r\nAhnLab SEcurity intelligence Center (ASEC) has identified that LockBit ransomware is being distributed via\r\nWord files since last month. A notable point is that the LockBit ransomware is usually distributed by disguising\r\nitself as resumes, and recently found malicious Word files were also disguised as resumes [1]. The distribution\r\nmethod of LockBit ransomware using external URLs in Word files was first found in 2022 [2]. The recently\r\ndiscovered file names of malicious Word files are as follows.   \r\nFile name\r\n[[[231227_Yang**]]].docx\r\n231227_Lee**.docx\r\n231227Yu**,docx\r\nKim**.docx\r\nSeonWoo**.docx\r\nhttps://asec.ahnlab.com/en/60633/\r\nPage 1 of 7\n\nWorking meticulously! A leader in communication!.docx\r\nCandidate with a kind attitude and a big smile.docx\r\nI will work with an enthusiastic attitude.docx\r\nExternal link is included in the internal Word file \\word\\_rels\\settings.xml.rels, and the document file that has\r\nadditional malicious macro code is downloaded from the external URL when the Word file is run. Most of the\r\nproperties of the documents were similar to that of documents distributed in the past, thus it is assumed that the\r\ndocuments used in the past are being reused.\r\nFigure 1. Connection to the external URL when the document file is run\r\nFigure 2. File properties (File distributed in September 2022 / File distributed recently)   As shown in the figure\r\nbelow, images are included in the file to prompt the users to run malicious VBA macro. When the macro is run,\r\nthe VBA macro included in the document file downloaded from the external URL is run. \r\nhttps://asec.ahnlab.com/en/60633/\r\nPage 2 of 7\n\nFigure 3. Image inserted in the file   Identified external URLs are as follows. \r\nhxxps://viviendas8[.]com/bb/qhrx1h.dotm\r\nhxxps://learndash.825testsites[.]com/b/fgi5k8.dotm\r\nhxxps://neverlandserver.nn[.]pe/b/ck0zcn.dotm\r\nThe image below shows the macro code that was run through the downloaded document files. It is obfuscated\r\nsimilarly to the identified cases of VBA macro in 2022, and PowerShell is ultimately run to download and execute\r\nhttps://asec.ahnlab.com/en/60633/\r\nPage 3 of 7\n\nLockBit ransomware.\r\nFigure 4. Comparison of macro code (VBA macro code of file distributed in September 2022 / VBA macro code\r\nof file distributed recently)   Identified download URLs of LockBit ransomware are as follows. \r\nhxxps://learndash.825testsites[.]com/b/abc.exe\r\nhxxps://viviendas8[.]com/bb/abc.exe\r\nhxxps://neverlandserver.nn[.]pe/b/abc.exe\r\nWhen the downloaded LockBit 3.0 ransomware is executed, it encrypts the files in the user’s PC.\r\nhttps://asec.ahnlab.com/en/60633/\r\nPage 4 of 7\n\nFigure 5. Ransom note  \r\nFigure 6. LockBit 3.0 infection screen   As various malware other than LockBit ransomware are also being\r\ndistributed under the guise of resumes, the users are advised to be extra cautious. [File Detection]\r\nDownloader/DOC.Macro (2023.12.29.03) Downloader/DOC.Agent (2024.01.02.03) Downloader/XML.Exernal\r\n(2024.01.09.00) Malware/Win.AGEN.R417906 (2021.04.27.03) Trojan/Win.Generic.R629778(2023.12.30.01)\r\nRansomware/Win.LockBit.XM170 (2023.10.05.02) [Behavior Detection] Ransom/MDP.Event.M4194 [IOC Info]\r\n– DOCX fad3e205ac4613629fbcdc428ce456e5 6424cc2085165d8b5b7b06d5aaddca9a\r\n1b95af49b05953920dbfe8b042db9285 11a65e914f9bed73946f057f6e6aa347\r\n60684527583c5bb17dcaad1eeb701434 61fda72ff72cdc39c4b4df0e9c099293\r\n16814dffbcaf12ccb579d5c59e151d16 9f80a3584dd2c3c44b307f0c0a6ca1e6 – DOTM\r\nf2a9bc0e23f6ad044cb7c835826fa8fe 4df66a06d2f1b52ab30422cbee2a4356\r\nhttps://asec.ahnlab.com/en/60633/\r\nPage 5 of 7\n\n26b629643be8739c4646db48ff4ed4af – EXE 7a83a738db05418c0ae6795b317a45f9\r\nbcf0e5d50839268ab93d1210cf08fa37 ab98774aefe47c2b585ac1f9feee0f19 URL\r\nhxxps://viviendas8[.]com/bb/qhrx1h.dotm hxxps://learndash.825testsites[.]com/b/fgi5k8.dotm\r\nhxxps://neverlandserver.nn[.]pe/b/ck0zcn.dotm hxxps://learndash.825testsites[.]com/b/abc.exe\r\nhxxps://viviendas8[.]com/bb/abc.exe hxxps://neverlandserver.nn[.]pe/b/abc.exe\r\nMD5\r\n11a65e914f9bed73946f057f6e6aa347\r\n16814dffbcaf12ccb579d5c59e151d16\r\n1b95af49b05953920dbfe8b042db9285\r\n26b629643be8739c4646db48ff4ed4af\r\n4df66a06d2f1b52ab30422cbee2a4356\r\nAdditional IOCs are available on AhnLab TIP.\r\nURL\r\nhttps[:]//learndash[.]825testsites[.]com/b/abc[.]exe\r\nhttps[:]//learndash[.]825testsites[.]com/b/fgi5k8[.]dotm\r\nhttps[:]//neverlandserver[.]nn[.]pe/b/abc[.]exe\r\nhttps[:]//neverlandserver[.]nn[.]pe/b/ck0zcn[.]dotm\r\nhttps[:]//viviendas8[.]com/bb/abc[.]exe\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nhttps://asec.ahnlab.com/en/60633/\r\nPage 6 of 7\n\nSource: https://asec.ahnlab.com/en/60633/\r\nhttps://asec.ahnlab.com/en/60633/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/60633/"
	],
	"report_names": [
		"60633"
	],
	"threat_actors": [],
	"ts_created_at": 1775434212,
	"ts_updated_at": 1775791280,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/40313d33d2be54be7e06968277eb83b18bd99f22.pdf",
		"text": "https://archive.orkl.eu/40313d33d2be54be7e06968277eb83b18bd99f22.txt",
		"img": "https://archive.orkl.eu/40313d33d2be54be7e06968277eb83b18bd99f22.jpg"
	}
}