{
	"id": "b048a3db-9424-4e66-9ba6-6cce60345665",
	"created_at": "2026-04-06T01:32:18.190139Z",
	"updated_at": "2026-04-10T03:34:24.151323Z",
	"deleted_at": null,
	"sha1_hash": "9ff7bc59665ac7c07830650582a7171c7a41a679",
	"title": "GitHub - itsreallynick/office-crackros: Crack your macros like the math pros.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 42636,
	"plain_text": "GitHub - itsreallynick/office-crackros: Crack your macros like the math\r\npros.\r\nBy Nick Carr\r\nArchived: 2026-04-06 01:10:38 UTC\r\nOfficeCrackros\r\nCrack your macros like the math pros.\r\nThis is a substitution cipher detector \u0026 decoder plugin for Microsoft Office documents. Essentially, this is Sigpedia for\r\nMacros. What I'm trying to say is I think you'll find this helpful if you can navigate all the trolling. Feb 2017 Update: This\r\nnow supports PointsToInches character encoding (new FIN8 technique)!\r\nHow To Use It\r\n1. download teh scripts\r\n2. run against suspect documents\r\nUsage: python oledump.py -p plugin_officecrackros \u003cpath/to/file.doc\u003e\r\n3. let me know what you think\r\nPlease understand that, like all good hacked together tools, I stopped as soon as it worked - with much room for\r\nimprovement\r\nIf you found the tool helpful, let me know @itsreallynick\r\nRequirements\r\noledump\r\nDidier Stevens, who is awesome, created this tool\r\noledump has been included in this repository\r\nhttps://github.com/DidierStevens/DidierStevensSuite/blob/master/oledump.py\r\noledump requires olefile python library: easy_install olefile\r\nMalicious Microsoft Office Document using encoded macros\r\nSpecifically: macros substitution noise used by FIN8; also seen for Nymaim ransomware delivery\r\nTry it yourself:\r\nhttps://www.virustotal.com/en/file/cba63594f28e69405b5075013624075ef1a538be40a7c2402f84d33f9f6c2927/an\r\nTo Do List:\r\nCRUSH IT.\r\nRemove extraneous text in multiple line matches (improve regular expressions)\r\nAdd back in substitution / dropchar detection based on character histogramming\r\nSource: https://github.com/itsreallynick/office-crackros\r\nhttps://github.com/itsreallynick/office-crackros\r\nPage 1 of 1",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/itsreallynick/office-crackros"
	],
	"report_names": [
		"office-crackros"
	],
	"threat_actors": [
		{
			"id": "3150bf4f-288a-44b8-ab48-0ced9b052a0c",
			"created_at": "2025-08-07T02:03:24.910023Z",
			"updated_at": "2026-04-10T02:00:03.713077Z",
			"deleted_at": null,
			"main_name": "GOLD HUXLEY",
			"aliases": [
				"CTG-6969 ",
				"FIN8 "
			],
			"source_name": "Secureworks:GOLD HUXLEY",
			"tools": [
				"Gozi ISFB",
				"Powersniff"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "5bdde906-0416-42ee-9100-5ebd95dda77a",
			"created_at": "2023-01-06T13:46:38.601977Z",
			"updated_at": "2026-04-10T02:00:03.035842Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"ATK113",
				"G0061"
			],
			"source_name": "MISPGALAXY:FIN8",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "72d09c17-e33e-4c2f-95db-f204848cc797",
			"created_at": "2022-10-25T15:50:23.832551Z",
			"updated_at": "2026-04-10T02:00:05.336787Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"FIN8",
				"Syssphinx"
			],
			"source_name": "MITRE:FIN8",
			"tools": [
				"BADHATCH",
				"PUNCHBUGGY",
				"Ragnar Locker",
				"PUNCHTRACK",
				"dsquery",
				"Nltest",
				"Sardonic",
				"PsExec",
				"Impacket"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "fc80a724-e567-457c-82bb-70147435e129",
			"created_at": "2022-10-25T16:07:23.624289Z",
			"updated_at": "2026-04-10T02:00:04.691643Z",
			"deleted_at": null,
			"main_name": "FIN8",
			"aliases": [
				"ATK 113",
				"G0061",
				"Storm-0288",
				"Syssphinx"
			],
			"source_name": "ETDA:FIN8",
			"tools": [
				"ALPHV",
				"ALPHVM",
				"BadHatch",
				"BlackCat",
				"Noberus",
				"PSVC",
				"PUNCHTRACK",
				"PoSlurp",
				"Powersniff",
				"PunchBuggy",
				"Ragnar Loader",
				"Ragnar Locker",
				"RagnarLocker",
				"Sardonic",
				"ShellTea"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775439138,
	"ts_updated_at": 1775792064,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9ff7bc59665ac7c07830650582a7171c7a41a679.pdf",
		"text": "https://archive.orkl.eu/9ff7bc59665ac7c07830650582a7171c7a41a679.txt",
		"img": "https://archive.orkl.eu/9ff7bc59665ac7c07830650582a7171c7a41a679.jpg"
	}
}