{
	"id": "a01c5590-c2e6-4ac2-83b3-2564f6713590",
	"created_at": "2026-04-06T00:19:07.819361Z",
	"updated_at": "2026-04-10T03:21:04.09987Z",
	"deleted_at": null,
	"sha1_hash": "6b9017b3ec4ca930f16dbe97f5a4f016f86da164",
	"title": "Examining a VBA-Initiated Infostealer Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1392342,
	"plain_text": "Examining a VBA-Initiated Infostealer Campaign\r\nBy Vicky Ray, Rob Downs\r\nPublished: 2014-10-29 · Archived: 2026-04-05 18:28:26 UTC\r\nWhile Microsoft documents that leverage malicious, embedded Visual Basic for Applications (VBA) macros are\r\nnot a new thing, their use has noticeably increased this year, thanks in part to their simplicity and effectiveness.\r\nSome threat actors commonly use this class of malware to drop a second stage payload on victim systems. Even\r\nthough Microsoft attempts to mitigate this threat by disabling macros by default, the percentage of users who\r\nexplicitly bypass this protection and enable macros remains high.\r\nExploiting the human factor, the most effective attacker strategy is the tried and true spear phishing attack, ideally\r\nmade to look authentic by appearing to originate from a legitimate organization/individual and containing role-relevant or topic-of-interest content to entice its intended target. This post examines an information stealer\r\ncampaign that leveraged a VBA macro script, focusing on its progression, from delivery to Command and Control\r\n(C2), and its attribution to a malicious actor for context on objectives and motivation.\r\nDelivery and Exploitation\r\nThe recent campaign started with an email sent to an employee responsible for processing financial statements at a\r\nglobal financial organization (Figure 1). The sender’s email address was spoofed as originating from an energy\r\ncompany. Subsequent analysis would show that this façade was very thin; yet, it is often all that is required to\r\nencourage a user to open an attachment or click on a link that then executes malicious code.\r\nFigure 1: Delivery of a phishing message containing malicious DOC file\r\nThe above e-mail employs common pressure tactics for phishing messages. Specifically, it touches on two areas of\r\npotential concern for a target: financial responsibility and the introduction of a state of uncertainty and confusion.\r\nIn this case, the role of the target as a processor of financial statements might mean that the target is accustomed to\r\nreceiving similarly structured legitimate e-mails; accordingly, they may open a malicious attachment without a\r\nsecond thought.\r\nhttps://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/\r\nPage 1 of 9\n\nThe second factor is much broader and relates to how humans deal with uncertainty. Without specific awareness\r\nand training, some users may be inclined to open the attachment, wondering why the e-mail was sent to them. In\r\npsychology, this is referred to as the “Need for Closure” personality trap.\r\nThe next layer of this attack is found within the malicious DOC file once a victim opens it. With a system properly\r\nconfigured to protect against automatic execution of VBA macros, no malicious code has been run at this point.\r\nFigure 2 presents a screenshot of the malicious attachment’s displayed contents.\r\nFigure 2: Displayed contents of malicious DOC file, TTAdvise.doc\r\nThis content further compounds the two points of concern for the target, and now presents a convenient option of\r\nclicking on “Enable Content” to obtain closure on the matter. Despite a security warning (Figure 3), a number of\r\nusers still choose to enable respective content, allowing for malicious VBA macros to run on their system.\r\nFigure 3: Often ignored Microsoft security warning against enabling macro content\r\nhttps://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/\r\nPage 2 of 9\n\nAfter enabling macros, none of the promised data is shown to the victim; however, the malicious VBA macro\r\nscript executes in the background without the user’s knowledge.\r\nVBA Macro Script\r\nThe embedded VBA macro script is shown in Figure 4.\r\nFigure 4: Embedded VBA macro script\r\nThis script operates as a downloader, pulling a second stage payload from the following URL (Note: at the time of\r\nthis post, the referenced domain was no longer active):\r\nhxxp://icqap.com/oludouble.exe\r\nInstallation and Persistence\r\nStatic analysis of the “oludouble.exe” binary is summarized in Figure 5.\r\nhttps://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/\r\nPage 3 of 9\n\nFigure 5: Static analysis of downloaded second stage malware, oludouble.exe\r\nOnce executed, “oludouble.exe” drops two executables (Windows XP paths furnished):\r\nC:\\Documents and Settings\\Administrator\\Desktop\\exchangepre.exe\r\nC:\\Documents and Settings\\Administrator\\Application Data\\Windows Update.exe\r\nBoth binaries are exact copies (Figure 6).\r\nFigure 6: Files dropped from second stage malware, oludouble.exe\r\nThe second stage malware also copies itself to the following directory (Windows XP) and deletes its original file:\r\nC:\\Documents and Settings\\Administrator\\Application Data\\Temp.exe\r\nPersistence (enabling the malware to reload after reboot and restart) is achieved through addition of the following\r\nregistry key, set to the path for the “Windows Update.exe” binary (Figure 7):\r\nHKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Update\r\nhttps://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/\r\nPage 4 of 9\n\nFigure 7: Windows registry modification for persistence\r\nMalware Capabilities\r\nAPI Calls extracted from “Windows Update.exe” (b6275be58a539ea9548d02ab6229c768) hints at associated\r\ncapabilities (Figure 8).\r\nFigure 8: API calls found in “Windows Update.exe” binary\r\nBased on these API calls, the malware appears to support enumeration of a variety of system information.\r\nAdditionally, the use of “GetAsyncKeyState”, which obtains key press status, could be indicative of keylogging\r\ncapabilities.\r\nFurther investigation and research revealed that this malware leverages the Predator Pain keylogger, a favorite tool\r\nof this threat actor. Overall, this malware functions as an information stealer (Infostealer), including capture and\r\nexfiltration of the following types of information:\r\nWebsite credentials\r\nFinancial information\r\nChat session contents\r\nEmail contents\r\nCommand and Control (C2)\r\nhttps://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/\r\nPage 5 of 9\n\nOnce installed, this malware determines its Internet-facing IP address and then establishes a connection with the\r\nfollowing domains:\r\nwhatismyipaddress.com\r\nwww.myip.ru\r\nmail[.]rivardxteriaspte.co[.]uk\r\nftp[.]rivardxteriaspte.co[.]uk\r\nThe first two domains are legitimate public IP verification services. The latter two are C2 servers run by the\r\nmalicious actor, which use SMTP and FTP communications, respectively.\r\nAttribution\r\nE-mail headers are a valuable source of intelligence when investigating these types of attacks (Figure 9).\r\nFigure 9: E-mail headers for phishing message\r\nIn this example, when the victim opened the phishing message, it appeared to originate from a legitimate\r\norganization. However, closer inspection revealed that the sender address was spoofed through the ‘X-Env-Sender’ header. In an attempt to slide past cursory examination, the malicious actor used an open mail relay,\r\nserver[.]edm.sg. Another important e-mail header field for this message is ‘Reply-To’, which contains a valid e-mail for this malicious actor:\r\ncimaskozy(at)yahoo.com\r\nSetting the ‘Reply-To’ email header field to a valid address is another common threat actor tactic. It supports\r\nelicitation activities by that actor should a target respond to the message (i.e., further social engineering). Yet, this\r\ntechnique should also present a red flag to a user, as the initial façade of the originating e-mail address is removed\r\nat that point.\r\nhttps://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/\r\nPage 6 of 9\n\nResearch on the above email address reveals that this actor has been active in the cybercrime underground since at\r\nleast 2010. Specifically, this actor goes by the handle “Skozzy” and is a known carder, seller of compromised\r\ncredit card information, and facilitator of related services. Accordingly, we categorize “Skozzy” as primarily a\r\ncybercrime actor motivated by financial gain, although roles across nation state, cybercrime, hacktivist and ankle-biter/script kiddies are not mutually exclusive and – in fact – continue to become fuzzier over time.\r\nFigure 10 is a screenshot of a YouTube post by “Skozzy”  (skozzy11) from 2010.\r\nFigure 10: YouTube post from “Skozzy”, 2010\r\nFigure 11 is a screenshot from a Pastebin post, also from 2010.\r\nFigure 11: Pastebin post from “Skozzy”, 2010\r\n“Skozzy” is also active on HackForums[.]net and has shared thoughts and experiences related to keylogging tools\r\nlike Limitless Logger and Predator Pain (Figure 12). Of particular note, the infostealer/keylogger tools that\r\n“Skozzy” prefers are able to steal much more than what has been observed so far for this actor.\r\nhttps://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/\r\nPage 7 of 9\n\nFigure 12: Posts on HackForums[.]net regarding keyloggers\r\n“Skozzy” also shares that Predator Pain is a preferred tool, as it offers great support (Figure 13).\r\nFigure 13: “Skozzy” prefers the Predator Pain keylogger\r\nDeeper analysis and correlation across domains and samples that we believe related to this threat actor will be\r\ncovered in subsequent blog content.\r\nConclusion\r\nThis case epitomizes how easy it has become these days to steal sensitive information from victims who fall prey\r\nto such campaigns. Associated tools can be bought online for less than $100, which often also includes support\r\npackages that rival those of mainstream commercial software.\r\nStolen information can be used for more than standard credit card fraud. The crossover between malicious actor\r\nobjectives may include opportunistic aspects of cyber espionage, extortion, identity theft, intellectual capital\r\ntheft, and much more. It is also important to note that none of the major anti-virus (AV) vendors detected this\r\nthreat at the time it was delivered. The natural gap between creation of these threats and a corresponding signature\r\nfor their detection by traditional AV remains a sweet spot for successful malicious campaigns. Therefore, it is\r\nincreasingly important to properly architect and deploy network and endpoint protections to ensure thorough and\r\neffective defense of computing and information assets.\r\nThe Palo Alto Networks Enterprise Security Platform is a prime example of technology meant to address and\r\nminimize the risk associated with emerging threats. Learn more about the platform here.\r\nhttps://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/\r\nPage 8 of 9\n\nSource: https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/\r\nhttps://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/examining-vba-initiated-infostealer-campaign/"
	],
	"report_names": [
		"examining-vba-initiated-infostealer-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434747,
	"ts_updated_at": 1775791264,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6b9017b3ec4ca930f16dbe97f5a4f016f86da164.pdf",
		"text": "https://archive.orkl.eu/6b9017b3ec4ca930f16dbe97f5a4f016f86da164.txt",
		"img": "https://archive.orkl.eu/6b9017b3ec4ca930f16dbe97f5a4f016f86da164.jpg"
	}
}