{ "id": "c5b2b19c-926e-41aa-ab81-9a1272942ec4", "created_at": "2026-04-06T00:08:14.758635Z", "updated_at": "2026-04-10T13:11:47.0046Z", "deleted_at": null, "sha1_hash": "8c1113bdbc364d81bf68c274e309e9d5b8d00c9b", "title": "Gamaredon: Docx Template-Injection", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1036731, "plain_text": "Gamaredon: Docx Template-Injection\r\nPublished: 2021-01-18 · Archived: 2026-04-05 23:19:20 UTC\r\nNew APT malware samples have been found by Shadow Chaser Group researchers recently, that points to the same\r\nattacker group Gamaredon. Two different samples in separate incidents are being analyzed and presented in this post\r\nto show the techniques used by the attacker. Also there are interesting findings that have been extracted during\r\ndynamic analysis and not been found by sandbox engines. Will focus on the extracted information and techniques\r\nand skip the match results.\r\nSample One: Downloader\r\nFigure -1- Tweet of sample 1\r\nHost-Based IOCs\r\nhttps://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/\r\nPage 1 of 9\n\nFile Name MD5 hash File Size\r\nМои данные.docx fbc037e68f5988df9190cdadf7424752\r\n24.56\r\nKB\r\ndCiBlGD.dot 7467DBBB6DBEA83256B13FB151A594EF  73 bytes\r\nindex.dat C6DBAAA421E7CC2A51564EC14EE98372\r\n244\r\nbytes\r\nsell on office360-expert.online E382A34494F25B9F31F8A3745135970E 62 bytes\r\nTCD18CC.tmp\\CleanGradient.thmx E9294DCC4C80544EFDDD8BCA7F1FFBE6 57.7 KB\r\nTable -1- Sample one Files basic properties\r\nThis malware is a Docx file with (50 4B 03 04) signature that has an embedded xml when extracted\r\n(word\\_rels\\settings.xml.rels) (Figure -2-), it has a URL, which by the time writing this post the link is still active\r\n(Figure -3-) [2]\r\nFigure -2- XML file with Suspicious URL\r\nFigure -3- Active links\r\nNetword-Based IOC\r\nURL IP Port\r\nhxxp://office360-expert[.]online/sell/dCiBlGD[.]dot 195.161.114.130 80\r\nTable -2- Sample One Connections\r\nUnlike other malware techniques used in similar procedures, when first running this Docx file it’s already too late. As\r\nan attack vector, it doesn’t require the victim to Enable Macro in order to serve its malicious purpose.\r\nhttps://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/\r\nPage 2 of 9\n\nFigure -4- Running the document\r\nSince it’s a downloader it only makes sense to find out what is next when running this malware live and infect the\r\ncomputer. Four files been extracted as in (Table -1-) in: (C:\\.\\.\\AppData\\Roaming\\Microsoft\\Office\\Recent), and\r\n(C:\\.\\.\\AppData\\Local\\Temp\\TCD18CC.tmp\\),\r\nThere’re dozens of other xx.TMP directories but been created and deleted during the process. The DOT file dCiBlGD\r\nis nothing but a shortcut linked to the URL shortcut (sell on office360-expert.online) which links to the same URL.\r\nThe current files are almost useless and there doesn’t appear to be a use for template file or any other files in that\r\nmatter. However, presenting in the following section of this post another sample belongs to the same attacker group\r\nwhich has the use of dot file as a second stage dropper, but more on that in a little bit.\r\nThere’s persistent mechanism that might lead to download another files like dot file, or maybe other evasion\r\ntechniques. What’s missing from VirusTotal behavior [3] is the registry below ‘At least by the time writing this post’.\r\nThe sample been tested with both MS word 2010 and 2016.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\16.0\\Common\\Internet\\Server Cache\\http://office360-\r\nexpert.online/sell/\r\nFigure -5- RegValue: Office 2010\r\nhttps://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/\r\nPage 3 of 9\n\nFigure -6- RegValue: Office 2016\r\nBy the time of live analyzing this sample there’s no threat presented yet! However, as a first stage downloader, the\r\nattacker successfully made it to place foothold via temp files like dot or (Docs Template) which remains in the temp\r\ndirectory unnoticed, and also set the registry values linking to the suspicious URL.\r\nSample Two: Dropper\r\nhttps://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/\r\nPage 4 of 9\n\nFigure -7- Tweet of sample 2\r\nIn what appears to be an older found sample discovered by the same researchers [1] linked to the same attacker group\r\n[4]. A dot file is been statically analyzed in this section, so there’s a chance to take a glance at what a dot file might\r\nbe used for and what evasion and persistent techniques the attacker’s using.\r\nHost-Based IOCs\r\nFile Name MD5 hash File Size\r\nKzGdWvmSq.dot ddc38e9b53458ee58504a40fdc41df61 216.00 KB\r\nPrintDriver.exe d1ab72db2bedd2f255d35da3da0d4b16 138.50 KB\r\nTable -3- Sample two Files basic properties\r\nhttps://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/\r\nPage 5 of 9\n\nWhen the dot file KzGdWvmSq made it to victim machine it establishes connection with a C2 sever. And by the time\r\nanalyzing this sample the C2 servers are not found [5].\r\nURL IP Port\r\nhxxp://sufflari[.]online/increase[.]php 188.225.82.216 80\r\nhxxp://188.225.82.216/inspection[.]php 188.225.82.216 80\r\nhttp://sufflari%5B.%5Donline/increase%5B.%5Dphp 188.225.82.216 80\r\nhttp://188.225.82.216/inspection%5B.%5Dphp 188.225.82.216 80\r\nTable -4- Sample Two Connections\r\nThis malware sample is a wrapper and dropper to a PE executable (printdrive.exe) that runs as process in victim\r\nmachine. However, this analysis focus more on the code and interesting indicators. Using either oledump.py or\r\nolevba.py tools in a Remnux machine is a good way to identify VBA streams and extract macros. On this sample it’s\r\nclear the macro been detected at the 8th stream.\r\nFigure -8- Oledump streams detected\r\nThe extracted macro seems to be decoded and almost every line and function has been obfuscated. With the help of\r\nolevba.py summary table, detection of base64 encoding is helpful.\r\nhttps://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/\r\nPage 6 of 9\n\nFigure -9- Olevba summary\r\nThe use of Document_Close function in this macro VBA is interesting. According to Microsoft documentation [6] the\r\nevent only happen after closing the open document.\r\nFigure -10- Document_Close Event\r\nEven after decoding the code, there’s still heavy usage of swap functions, but at least the important parts are in clear\r\ntext as in below IOC snaps. After closing the document, the below lines are executed and (PirntDrive.exe) is up and\r\nrunning in the process.\r\nhttps://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/\r\nPage 7 of 9\n\nFigure -11- Host-Base IOCs\r\nFigure -12- Network-Based IOCs\r\nCouple of registry values been altered during runtime. however, the spotted hardcoded ones are as below and more\r\nwith the same sample/registry section [7] as persistent mechanism.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\PrintSoftware\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Office\\ \u0026 Application.Version \u0026 _”\\Word\\Security\\\r\nCompared to the rest of the dot file, the ‘Macros/VBA/ThisDocument‘ file is relatively small. Just in case to avoid\r\nmissing any other hidden data back to Figure -8- above. Let’s try make use of pcodedmp.py tool and extracting a\r\npossible hidden p-code. There aren’t any hidden, just the fact that the 5th stream ‘Data’ that appears to be the image\r\nfile in the template embedded in this section. What get the attention in the also is this little overhead as referral to\r\nimage content.\r\nhttps://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/\r\nPage 8 of 9\n\nFigure -13- Embedded Image file\r\nCredits\r\nShadow Chaser Group for discovering both samples\r\nUpdate (27 Jan 2021)\r\nContribution work from Nicko on Github\r\nReferences\r\n[1] Shadow Chaser Group, https://twitter.com/ShadowChasing1\r\n[2] AnyRun – Sample One, https://app.any.run/tasks/17575220-f087-4baa-bc96-3d9bdb0f10ed/\r\n[3] VirusTotal – Template Injection Malware Sample,\r\nhttps://www.virustotal.com/gui/file/499caf4558ca05440875a94d5e06663cc637f9c6acdaa7c1a89f889a025837f3/behavior\r\n[4] Gamaredon Group by Mitre Att\u0026ck definition, https://attack.mitre.org/groups/G0047/\r\n[5] AnyRun – Sample Two, https://app.any.run/tasks/26e685f3-9a76-45fa-ad70-dd61cb64812c/\r\n[6] Microsoft documentation, https://docs.microsoft.com/en-us/office/vba/api/word.document.close(even)\r\n[7] AnyRun – Sample Two Registry Values,\r\nhttps://any.run/report/13b780800c94410b3d68060030b5ff62e9a320a71c02963603ae65abbf150d36/26e685f3-9a76-\r\n45fa-ad70-dd61cb64812c#registry\r\nSource: https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/\r\nhttps://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/" ], "report_names": [ "docx-files-template-injection" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434094, "ts_updated_at": 1775826707, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8c1113bdbc364d81bf68c274e309e9d5b8d00c9b.pdf", "text": "https://archive.orkl.eu/8c1113bdbc364d81bf68c274e309e9d5b8d00c9b.txt", "img": "https://archive.orkl.eu/8c1113bdbc364d81bf68c274e309e9d5b8d00c9b.jpg" } }