{
	"id": "f7b5b480-3ce3-4eae-8b55-40521c93dc11",
	"created_at": "2026-04-06T00:19:23.315904Z",
	"updated_at": "2026-04-10T03:19:56.595471Z",
	"deleted_at": null,
	"sha1_hash": "94515cd915efec2872b3050071d17d5ff31a248a",
	"title": "New SVCReady malware loads from Word doc properties – Detection \u0026 Response - Security Investigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 152071,
	"plain_text": "New SVCReady malware loads from Word doc properties –\r\nDetection \u0026 Response - Security Investigation\r\nBy Vignesh Bhaaskaran\r\nPublished: 2022-06-10 · Archived: 2026-04-05 14:47:17 UTC\r\nAn unknown malware loader named SVCReady has been discovered in phishing attacks, featuring an unusual\r\nway of loading the malware from Word documents onto compromised machines.\r\nMore specifically, it uses VBA macro code to execute a shellcode stored in the properties of a document that\r\narrives on the target as an email attachment.\r\nAccording to a new report by HP, the malware has been under deployment since April 2022, with the developers\r\nreleasing several updates in May 2022. This indicates that it is currently under heavy development, likely still at\r\nan early stage.\r\nHowever, it already supports information exfiltration, persistence, anti-analysis features, and encrypted C2\r\ncommunications.\r\nAlso Read: Symbiote malware infects all running processes on Linux systems\r\nSVCReady starts with an email\r\nThe infection chain begins with a phishing email carrying a malicious .doc attachment. However, contrary to the\r\nstandard practice of using PowerShell or MSHTA via malicious macros to download payloads from remote\r\nhttps://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/\r\nPage 1 of 5\n\nlocations, this campaign uses VBA to run shellcode hiding in the file properties.\r\nAlso Read: Black Basta Ransomware operators leverage QBot for lateral movements\r\nAs shown below, this shellcode is stored in the properties of the Word document, which is extracted and executed\r\nby the macros.\r\nShellcode hidden in document properties (HP)\r\nBy splitting the macros from the malicious shell code, the threat actors attempt to bypass security software that\r\nmay normally detect it.\r\n“Next the shellcode, which is located in the document properties, is loaded into a variable. Different shellcode is\r\nloaded depending on if the architecture of the system is 32 bit or 64 bit,” explains HP’s report.\r\nThe appropriate shell code is loaded tino memory from where it will use the Windows API function “Virtual\r\nProtect” to acquire executable access rights.\r\nNext, the SetTimer API passes the address of the shellcode and executes it. This action results in a DLL (malware\r\npayload) dropping into the %TEMP% directory. A copy of “rundll32.exe”, a legitimate Windows binary, is also\r\nplaced in the same directory under a different name and is eventually abused to run SVCReady.\r\nAlso Read: New ‘DogWalk’ Windows zero-day gets free unofficial patches – Detection \u0026 Response\r\nDetection Queries\r\nMicrosoft Defender\r\nDeviceProcessEvents | where (((InitiatingProcessFolderPath endswith @\"\\WINWORD.exe\") or (FolderPath\r\nendswith @\"\\WINWORD.exe\") or (ProcessCommandLine contains \"WINWORD.exe\")) and (ProcessCommandLine\r\nhttps://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/\r\nPage 2 of 5\n\ncontains @\"\\AppData\\Local\\Temp\") and (ProcessCommandLine matches regex @'(?i)\\\\[\\w\\.]+\\.dll|\\\\\r\n[\\w\\.]+\\.exe'))\r\nCrowdStrike\r\n(((ParentBaseFileName=\"*\\\\WINWORD.exe\") OR (ImageFileName=\"*\\\\WINWORD.exe\") OR\r\n(CommandHistory=\"*WINWORD.exe*\") OR (CommandLine=\"*WINWORD.exe*\")) AND\r\n((CommandHistory=\"*\\\\AppData\\\\Local\\\\Temp*\") OR (CommandLine=\"*\\\\AppData\\\\Local\\\\Temp*\")) AND (regex\r\nfield=CommandHistory \"['\\\\\\\\[\\\\w\\\\.]+\\\\.dll|\\\\\\\\[\\\\w\\\\.]+\\\\.exe']\" OR regex field=CommandLine \"['\\\\\\\\\r\n[\\\\w\\\\.]+\\\\.dll|\\\\\\\\[\\\\w\\\\.]+\\\\.exe']\"))\r\nElastic Query \r\n((process.parent.executable:*\\\\WINWORD.exe OR process.executable:*\\\\WINWORD.exe OR\r\nprocess.command_line:*WINWORD.exe*) AND process.command_line:*\\\\AppData\\\\Local\\\\Temp* AND\r\n(process.command_line:/\\\\[\\w\\.]+\\.dll|\\\\[\\w\\.]+\\.exe/))\r\nCarbonBlack \r\n((parent_name:*\\\\WINWORD.exe OR process_name:*\\\\WINWORD.exe OR process_cmdline:*WINWORD.exe*) AND\r\nprocess_cmdline:*\\\\AppData\\\\Local\\\\Temp* AND (process_cmdline:/\\\\[\\w\\.]+\\.dll|\\\\[\\w\\.]+\\.exe/))\r\nFireeye Helix\r\n(metaclass:`windows` (pprocess:`*\\WINWORD.exe` OR process:`*\\WINWORD.exe` OR args:`WINWORD.exe`)\r\nargs:`\\AppData\\Local\\Temp` args:/['\\\\\\\\[\\\\w\\\\.]+\\\\.dll|\\\\\\\\[\\\\w\\\\.]+\\\\.exe']/)\r\nGoogle Chronicle\r\n(principal.process.file.full_path = /.*\\\\WINWORD\\.exe/ or target.process.file.full_path =\r\n/.*\\\\WINWORD\\.exe/ or target.process.command_line = /.*WINWORD\\.exe.*/) and\r\ntarget.process.command_line = /.*\\\\AppData\\\\Local\\\\Temp.*/ and target.process.command_line = /\\\\\r\n[\\w\\.]+\\.dll|\\\\[\\w\\.]+\\.exe/\r\nMS Sentinel \r\nSecurityEvent | where EventID == 4688 | where (((ParentProcessName endswith @'\\WINWORD.exe') or\r\n(NewProcessName endswith @'\\WINWORD.exe') or (CommandLine contains 'WINWORD.exe')) and (CommandLine\r\ncontains @'\\AppData\\Local\\Temp') and (CommandLine matches regex @'(?i)\\\\[\\w\\.]+\\.dll' or CommandLine\r\nmatches regex @'(?i)\\\\[\\w\\.]+\\.exe'))\r\nSplunk\r\n(source=\"WinEventLog:*\" AND ((ParentImage=\"*\\\\WINWORD.exe\") OR (Image=\"*\\\\WINWORD.exe\") OR\r\n(CommandLine=\"*WINWORD.exe*\")) AND (CommandLine=\"*\\\\AppData\\\\Local\\\\Temp*\") | rex field=CommandLine\r\n\"\\\\(?P\u003cpayload\u003e[\\w\\.]+\\.dll)|\\\\(?P\u003crenamed_file\u003e[\\w\\.]+\\.exe)\"\r\nIndicators of Compromise\r\nhttps://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/\r\nPage 3 of 5\n\n501D971E548139153C64037D07B4E3FEA2C1735A37774531C88CFA95BA660EC3\r\n99DF2CC2535C82B84BA23384DF290D7506242532123D8414C1CFC61967072C28\r\nC6C080A63DD038D11CD6E724D2DE31108CABE7B6E38F674FE8189696886582AF\r\nD270E1CA349DAA668E0807BE65ECA75CC739008A39E283F922A8728C22663417\r\n6C9FD23D88239D819E0B494E589B665C4E7921ED9B9DD0BBD1610D71230BCF81\r\nF47514C680135C7D4285F2284D5621245463F55A901C38F171DCE445695AC533\r\n9F7124303F1C957F7E02F275F3501CBAA6E0645A6D78B50617A97761DC611CFF\r\n4C1DD6A893F86A150E003118148C655044D06E8300678CF6BF3CC3107B91B66C\r\nFCB325D21D1100269731553015D6D0F85143DAE2BFA6CBAF49AC6DA29F1F732E\r\n939863285773B17623F0F027FAAE8B994BF5FC1AFB182C63A026431C71CD3885\r\n65A650DD353EA767EF68CF4627436977E6D55102D699B2E8B8DE491DA5C0A5EB\r\n134D0B10BAC1404FA1DA83C96C08E0882500819DAAD5F49E9E83C92F2A624B3E\r\nF2FADD7A8B88DA62228DAB8981638B5C9F5512A57A0441B57C2B3A29B0A96012\r\n0D55564A2BED4FF06BC8B1DAAB98E2032C39536DAA31878E16FED29BC987A4D1\r\nA8EED171FDCB2A872865620FC2234E0B07201D927ABCB65344846F6D4A7B75F5\r\nC24266CC16D65F0B8D72BB7DF80A6B2FFE343429A764AFB9FB0A9C20D53AB9AF\r\n50FBE350CC660361B919F5E464DA6D6170F35EF497327AE5DEFC7805E76D5568\r\nC362D9EEFAFB44D4116B4DFABD5945E974C8A010221705E021490EFBF34BC3A3\r\n68617985E8AB455316C18172723FBD2748DE58008714C4CB3F7C6F19D326F135\r\n65E551F7093299A9A20EAF536197C19ABBDD51B95B9570EDAC4950D7C951AD92\r\nD8AEC5539973927EB07A23BA4DE3780D28C2DD2D6DBBC697562A44B30CD3B03F\r\nCA61DE1E2442C16C280EB7264D6B7F79EC92CDC10D1C202EFB028DA5F242F83A\r\n74652EAE27C9F5A5C397EACC76DAF768B3E601F106E8539C7D855712AB185E40\r\n0224B906741F248D8BCEDAEF423B58FFB1B4577EC06711293F7065B12AE71788\r\nFDABB1F5B7691F03B2D89FEB8B0D4E3FD036F9B4E718269CAD8741C7E4D14072\r\nFD799D99F7E84436F8AF16D94EE7B2F1D08CA3CEE746E1CF9B36E2139D676E4C\r\n4A2E76B57DE10C687716A1D7A295910CC5C0D04F5D10D4F4C53AE1BDE45A251C\r\n9122092980BC0ED9C9B008C5456CC18656C41798585B8819F1D6F2620CAC3CF3\r\n391D134B792FB660426F183755AD00DBD737F521CFF1F9A12D402CD714D34645\r\nB67120F25963D36560CBB86B35E864F608536ABEF7C3377F46997D65BAD13CAA\r\n5170461322CB1A79ABB84FEED75B7F871B6F1594562E7724C45D7BB98F97C86B\r\n4B8627B5896A0656E801A95B16068F84660F1460A247E712651E0945EB4309CB\r\n95E328A549247F900DA5747F7E2057DEF121D2EDA82CFD7E926A6955C797D317\r\nAFA40C3157F2704ABA4838A7308B53A4853176AF86982CE2999AA4DF3AC7BB9C\r\n00FD57B32A3DF737C274D2184663DE4EDC22A4E003419C1B10B262E66995EE23\r\n5B7FBEC223DEB714DC7A4037348936A27D86B061CB2120213D5A69849CC9B588\r\nFA6F5695AC2530B486FDD6FE8096AAAF65081BC092AB874545628C61E1403919\r\nC86A477579188305132DAB40700D06FFF9E26B5CE627233FB9D20DA1DFC74B47\r\n748352146AB86EA1A32DFED0B0D5FAC0EFC52728BCCD79476B74FB73517EFB21\r\nDLLs\r\n08e427c92010a8a282c894cf5a77a874e09c08e283a66f1905c131871cc4d273\r\nhttps://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/\r\nPage 4 of 5\n\n16851d915aaddf29fa2069b79d50fe3a81ecaafd28cde5b77cb531fe5a4e6742\r\n1d3217d7818e05db29f7c4437d41ea20f75978f67bc2b4419225542b190432fb\r\n235720bec0797367013cbdc1fe9bbdde1c5d325235920a1a3e9499485fb72dba\r\n39c955c9e906075c11948edd79ffc6d6fcc5b5e3ac336231f52c3b03e718371e\r\n5e932751c4dea799d69e1b4f02291dc6b06200dd4562b7ae1b6ac96693165cea\r\nd3e69a33913507c80742a2d7a59c889efe7aa8f52beef8d172764e049e03ead5\r\nf690f484c1883571a8bbf19313025a1264d3e10f570380f7aca3cc92135e1d2e\r\nDomains\r\nmuelgadr[.]top\r\nwikidreamers[.]com\r\ngalmerts[.]art\r\nmarualosa[.]top\r\nkikipi[.]art\r\nkokoroklo[.]su\r\nSource: https://www.bleepingcomputer.com/news/security/new-svcready-malware-loads-from-word-doc-properties/\r\nSVCReady: A New Loader Gets Ready\r\nSource: https://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/\r\nhttps://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.socinvestigation.com/new-svcready-malware-loads-from-word-doc-properties-detection-response/"
	],
	"report_names": [
		"new-svcready-malware-loads-from-word-doc-properties-detection-response"
	],
	"threat_actors": [],
	"ts_created_at": 1775434763,
	"ts_updated_at": 1775791196,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/94515cd915efec2872b3050071d17d5ff31a248a.pdf",
		"text": "https://archive.orkl.eu/94515cd915efec2872b3050071d17d5ff31a248a.txt",
		"img": "https://archive.orkl.eu/94515cd915efec2872b3050071d17d5ff31a248a.jpg"
	}
}