{
	"id": "5c3f9a82-9c17-42c3-a824-4d2b08f55859",
	"created_at": "2026-04-06T00:08:42.347881Z",
	"updated_at": "2026-04-10T13:12:09.574865Z",
	"deleted_at": null,
	"sha1_hash": "b231a0a100884d9b9b79d9056d636e9cafd663bd",
	"title": "Chantay’s Resume: Investigating a CV-Themed ZLoader Malware Campaign",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 537429,
	"plain_text": "Chantay’s Resume: Investigating a CV-Themed ZLoader Malware\r\nCampaign\r\nPublished: 2020-08-19 · Archived: 2026-04-05 19:48:05 UTC\r\nOne beautiful and sunny evening, I happened to be poking around VirusTotal – because that’s what I do with\r\nsunny evenings – and I happened to come across an interesting CV-themed document. It was an Excel document\r\nentitled “Chantay’s Resume.xlsm”. This caught my eye mostly because resume’s should almost never be in Excel\r\nformat. Unless you are applying for an accountant role, perhaps – I’m not sure what those people do.\r\nI decided to poke around at this file a bit:\r\nUpon opening this document in Excel, I received a helpful message from the job applicant. Good thing Chantay\r\nprovided instructions for his resume file, otherwise I wouldn’t be able to see his prior work experience and\r\neducational credentials somewhere embedded in this CV.\r\nI pressed the Enable Macros button at the top, as Chantay nicely instructed, and I received this popup error\r\nmessage:\r\nhttps://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nPage 1 of 11\n\nIt looks as if Chantay’s resume attempts to download a DLL file from the Internet and then executes it . However,\r\nmy malware analysis virtual machine is not connected to the Internet, so this process failed. Capturing this\r\ndownload request in a web proxy, such as Fiddler, proved this to be correct:\r\nA connection attempt was made to “hxxp://205.185.125[.]104/7kWZLZ”. This URL is likely hosting Chantay’s\r\nmalicious DLL.\r\nI also captured this activity in ProcMon (ProcessMonitor). Let’s inspect this activity:\r\nIt seems that Excel is attempting to download this DLL from 205.185.125.104, write the file (WriteFile) to a\r\ndirectory in my C: drive, and then load the file using rundll32.exe (ProcessCreate). This is a fairly common\r\nmethod of downloading and executing a payload from the Internet.\r\nHow is Excel doing all this, you may ask? I have no idea. There appears to be no VBA macro code in this\r\ndocument, nor p-code, or any other sneaky ways of obfuscating code in Office documents. But let’s dig a bit\r\ndeeper.\r\nThe objects within this Excel document, like many Office documents, can be extracted simply by using a Zip\r\nutility such as 7zip. I used 7zip to extract all the embedded objects and one item specifically stood out:\r\n“sheet1.xml” is 481kb, which is a substantial size given that this Excel document appears to only have one page of\r\ntext and not much else. Inspecting this file a bit more revealed some code, which is likely hidden in the Excel\r\nspreadsheet itself:\r\nhttps://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nPage 2 of 11\n\nWhat we know now is that there is hidden code in this document somewhere, we are just not sure where. Olevba,\r\nmy go-to tool for Microsoft Office document analysis, displays the following:\r\nSo we know that this is an OpenXML formatted document and it contains no typical VBA macros. Let’s open\r\nExcel back up and see if we can find the hidden code.\r\nIf we navigate to the “Formulas” menu in Excel, there is an option for “Name Manager”. The Name Manager\r\nholds information relating to MS Excel formulas. I suspect this document is utilizing formulas for code execution,\r\nsince this is what we observed when inspecting the XML files above. Name Manger will allow us to see the values\r\nof these formulas.\r\nThe Name Manager definitely contains some interesting strings worth investigating:\r\nWe can see a file path to a DLL, several Windows API functions (CreateDirectoryA, Download File, …), and a\r\nURL. Finally, there is an Auto_Open function. This function will execute when Excel is opened on the victim\r\nmachine and after macros are enabled. We can jump to this location in the Excel workbook by double-clicking this\r\nAuto_Open entry in the list.\r\nhttps://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nPage 3 of 11\n\nThese functions are obfuscated – Excel needs to “calculate” these values before they can be seen in cleartext.\r\nWhen this Excel document is opened by a victim, the formulas will be calculated and the malicious code will\r\nexecute.\r\nLuckily for us, the built-in Excel debugger can be utilized to inspect this code. We can do this by right-clicking an\r\ninteresting cell, selecting “Run”, and then “Step Into”, which will allow us to step into the formula and inspect its\r\noutput:\r\nAfter stepping though some of the code, we can see interesting strings such as a file being downloaded and saved\r\nto the C: drive as a DLL file.\r\nTo save time, and because I’m such as nice guy, I de-obfuscated the code for you, using the methods I outlined\r\nearlier. This Excel document:\r\n1. Loads kernel32.dll and invokes CreateDirectoryA to create a new directory under the C: drive in format C:\r\n\u003crandom\u003e\\\u003crandom\u003e.\r\n2. Loads URLMON.dll and invokes DownloadToFileA to download the payload DLL file from\r\nhxxp://205.185.125[.]104/kWZLZ.\r\n3. Starts rundll32.exe to execute the downloaded DLL.\r\nLet’s grab this DLL from the web server and look into it a bit further.\r\nhttps://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nPage 4 of 11\n\nBullocks. We are presented with a “default campaign not found” message, and the payloads appear to be no longer\r\nhosted here. Unfortunately, we won’t be able to grab this payload in this manner.\r\nI turned instead to my friend VirusTotal. A brief search on VirusTotal shows that there are (or were, at one point)\r\nseveral DLL files hosted on this IP address:\r\nIn addition, there appears to be many other “resume” files that point to this same IP, including “Ying Rume.xlsm”,\r\n“Rose Carron CV.doc”, “Federico CV.xls”, among others:\r\nhttps://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nPage 5 of 11\n\nCircling back to the DLL files, let’s inspect a few of these. Many of these DLL’S have interesting properties. Let’s\r\nchoose one that looks interesting:\r\nThis DLL is called “Google ipdate”, a very legitimate-sounding DLL file, likely straight from Google.\r\nLet’s take a look at the static properties of this DLL file:\r\nhttps://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nPage 6 of 11\n\nA few interesting things about this sample are that it is coded in Borland Delphi, which is a bit strange for a DLL\r\nfile. Also, as we already saw previously, we have the classic “Google Inc.” and “Google ipdate” meta data.\r\nThe original DLL being dropped and executed by the resume Excel document was executed with the parameter of\r\n“DllRegisterServer”. I know this because I saw this in the ProcMon output. So, to execute this DLL file in, say,\r\nx64dbg, we can run it with the command:\r\nrundll32.exe \u003cdll_file.dll\u003e,DllRegisterServer\r\nhttps://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nPage 7 of 11\n\nAfter about 1 minute of execution time, msiexec.exe is spawned.\r\nIf we attach to the new MSI process in x64dbg and dump its process memory, we can better understand what\r\nmalware family this sample resides in. Strings are a good place to start with this. We are able to see here some\r\ninteresting URL strings in memory:\r\nLeveraging Fiddler (or any other web proxy), I was able to confirm that this malware sample is attempting to\r\ncontact the URLs I saw in memory.\r\nhttps://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nPage 8 of 11\n\nThese are likely C2 addresses. After a bit of research on the format of these URLs, there appears to be one\r\nmalware family that is notorious for using a URI of “post.php”. Dum dum dum… Zloader.\r\nZLoader is a form of Downloader malware that establishes a connection with one or multiple C2’s, and then\r\nattempts to drop additional modules, implants, and other malware. So, it seems that at least one of the DLL’s being\r\ndelivered in this campaign is ZLoader. Below, we can see part of this infrastructure, mapped out in VirusTotal:\r\nhttps://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nPage 9 of 11\n\nSummary\r\nWell, there you have it. To summarize, Chantay’s nice resume utilizes hidden XLM macros in order to download\r\nand execute a DLL payload. The DLL payload, in my case, was a ZLoader variant. Very tricky, Chantay. Hope\r\nyou at least got that job you were applying for.\r\nKey takeaways: Be careful with resume files sent directly to you, and even more careful if they are in a non-standard format. Resume’s should almost always be in .doc, .docx, .rtf, or possible .pdf… But almost never in\r\n.xls/.xlsx fromat 🙂\r\nAs always, thanks for reading! If you enjoyed this post, follow me on Twitter (@d4rksystem).\r\nMalware Samples Used\r\nResume document\r\nb87f733efc95172621e267293ea60c41758ddcd9e005028df22af7e0a199cca8\r\nDLL File\r\nd36366666b407fe5527b96696377ee7ba9b609c8ef4561fa76af218ddd764dec\r\nhttps://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nPage 10 of 11\n\nSource: https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nhttps://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/"
	],
	"report_names": [
		"chantays-resume-investigating-a-cv-themed-zloader-malware-campaign"
	],
	"threat_actors": [],
	"ts_created_at": 1775434122,
	"ts_updated_at": 1775826729,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b231a0a100884d9b9b79d9056d636e9cafd663bd.pdf",
		"text": "https://archive.orkl.eu/b231a0a100884d9b9b79d9056d636e9cafd663bd.txt",
		"img": "https://archive.orkl.eu/b231a0a100884d9b9b79d9056d636e9cafd663bd.jpg"
	}
}