{
	"id": "bfdc76db-13b2-4b69-8d48-f11d3cd3426c",
	"created_at": "2026-04-06T00:17:01.603695Z",
	"updated_at": "2026-04-10T03:24:04.121065Z",
	"deleted_at": null,
	"sha1_hash": "ab1df7a863ab2afef82e1e0862fe0b89e1f7cd97",
	"title": "analyses/RemcosDocDropper.MD at master · 1d8/analyses",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 245339,
	"plain_text": "analyses/RemcosDocDropper.MD at master · 1d8/analyses\r\nBy 1d8\r\nArchived: 2026-04-05 20:04:10 UTC\r\nRemcos RAT Macro Dropper Doc\r\nOverview\r\nSample \u0026 more info\r\nPassword to the zip file is infected\r\nFirst seen: May 27, 2020\r\nurl no longer up\r\nFile type: docm\r\nSha256 hash: 202d979d74f0478de0fbea103e2585a84fdab5646ad19437f5e4c4ba0cda7b90\r\nurl used was: hxxp://185.205.209.166/dkkp/qlyzbsuu.a12.exe \u0026 shortened via tinyurl\r\nMacros used\r\nAnalysis\r\nOnce opened, the document looks like this:\r\nhttps://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD\r\nPage 1 of 5\n\nIn my opinion, not much work was put into crafting the actual document, but who am I to judge?\r\nWhen you enable content, you'd get this error message:\r\nThis isn't a makeshift error message crafted by the attacker as a social engineering tactic (as I did here ;) ) but\r\nrather an actual error message since the file they attempt to download \u0026 execute (named Filename.exe) doesn't\r\nactually download.\r\nAfter enabling content \u0026 letting the macros run, we open Procmon's process tree \u0026 we can see that powershell is\r\nused to attempt to drop the main malware (ignore all the notepad.exe noise, that was all generated by me):\r\nhttps://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD\r\nPage 2 of 5\n\nThe full powershell command used by the macro is here:\r\nAs we can see, it executes it in a hidden window \u0026 uses the bypass flag in order to bypass any protections a user\r\nhas set up in order to prevent execution of unauthorized scripts (I may be incorrect, but I believe this method only\r\nworks if the user is running with admin level privileges).\r\nThe powershell also drops the file to disk \u0026 saves it in the Temp directory as Filename.exe as we seen earlier \u0026\r\nthen executes it.\r\nThe url used is hxxps://tinyurl.com/ybz4nnyg. Tinyurl is a url shortener which will redirect to the main website.\r\nAttempting to navigate to this tinyurl yields no response, which likely means whatever site this malware was\r\nhosted as has since been taken down.\r\nThe final payload that would've been grabbed if the url was still up would be the Remcos RAT\r\nMy claim of the URL no longer being up is backed by the powershell logs:\r\nhttps://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD\r\nPage 3 of 5\n\nIf you wish to receive the powershell code without actually running it the way the attackers intended, simply edit\r\nthe code and delete the Shell() command \u0026 add in a variable, then print that variable in a message box:\r\nBefore:\r\nAfter:\r\nResult after running:\r\nhttps://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD\r\nPage 4 of 5\n\nNOTE: The reason Shell is called on a variable + a function is because the command passed to Shell is base64\r\nencoded twice \u0026 needs to be decoded twice before being ran. So the variable asdas contains the command after\r\nit's decoded once and then when Shell is called as Shell(sadsad(asdas, True)) is when the command is decoded the\r\nsecond time. Basically the function sadsad() is responsible for doing the base64 decoding. I hope this makes\r\nsense. Thanks for reading!\r\nSource: https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD\r\nhttps://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD"
	],
	"report_names": [
		"RemcosDocDropper.MD"
	],
	"threat_actors": [
		{
			"id": "34eea331-d052-4096-ae03-a22f1d090bd4",
			"created_at": "2025-08-07T02:03:25.073494Z",
			"updated_at": "2026-04-10T02:00:03.709243Z",
			"deleted_at": null,
			"main_name": "NICKEL ACADEMY",
			"aliases": [
				"ATK3 ",
				"Black Artemis ",
				"COVELLITE ",
				"CTG-2460 ",
				"Citrine Sleet ",
				"Diamond Sleet ",
				"Guardians of Peace",
				"HIDDEN COBRA ",
				"High Anonymous",
				"Labyrinth Chollima ",
				"Lazarus Group ",
				"NNPT Group",
				"New Romanic Cyber Army Team",
				"Temp.Hermit ",
				"UNC577 ",
				"Who Am I?",
				"Whois Team",
				"ZINC "
			],
			"source_name": "Secureworks:NICKEL ACADEMY",
			"tools": [
				"Destover",
				"KorHigh",
				"Volgmer"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434621,
	"ts_updated_at": 1775791444,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ab1df7a863ab2afef82e1e0862fe0b89e1f7cd97.pdf",
		"text": "https://archive.orkl.eu/ab1df7a863ab2afef82e1e0862fe0b89e1f7cd97.txt",
		"img": "https://archive.orkl.eu/ab1df7a863ab2afef82e1e0862fe0b89e1f7cd97.jpg"
	}
}