{
	"id": "8c993d1c-7712-4613-89b9-97089560f171",
	"created_at": "2026-04-06T00:07:34.492464Z",
	"updated_at": "2026-04-10T13:12:54.766545Z",
	"deleted_at": null,
	"sha1_hash": "c8111d7e50c697689565c127d39236040d858350",
	"title": "zLoader XLM Update: Macro code and behavior change",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 701294,
	"plain_text": "zLoader XLM Update: Macro code and behavior change\r\nBy Published by Jamie\r\nPublished: 2020-09-22 · Archived: 2026-04-05 18:55:21 UTC\r\nSkip to content\r\nWe’ve got ourselves a change to the zloader XLM code and also some document behavior. Here’s today’s sample:\r\nhttps://app.any.run/tasks/79dcccc4-b38a-4831-a9d5-b11a987e9729\r\nURLs:\r\ns://chuguadventures.co.tz/wp-touch.php\r\ns://cirabelcr6dito.com/wp-touch.php\r\ns://digitalseven.net.co/wp-touch.php\r\ns://dortome.net/wp-touch.php\r\nCentral Loop Mechanism\r\nThe decoding part of the central loop mechanism still exists as it did before. It grabs hex characters from\r\nelsewhere in the document, decodes them, and writes those strings to new cells. However in this case, the\r\ndocument only runs through two rounds of this decoding.\r\nRound 1\r\nhttps://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/\r\nPage 1 of 3\n\nThe first round behaves pretty much the same as it did before. It checks to see if it’s in a sandbox, checks the\r\nregistry, and if VBAWarnings is turned on, the code will go back to the loop and start round 2.\r\nRound 2\r\nThis is where the main difference lies. A series of lines get written to a file called QP0L3.vbs and then executed.\r\nQP0L3.vbs\r\nThe code in the .vbs file is nothing that special. It’s just an array of URLs going through a For Each loop. The file\r\ngets downloaded and then saved as an .html to the Temp folder.\r\nhttps://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/\r\nPage 2 of 3\n\nBack to Round 2\r\nAt this point, the .html file is executed with what looks to be rundll32.exe.\r\nAnd that’s pretty much it! Again, not a major change, but I thought it was a noteworthy one.\r\nThanks for reading!\r\nJust a Security Engineer that loves ripping apart malicious documents. View all posts by Jamie\r\nPost navigation\r\nSource: https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/\r\nhttps://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/"
	],
	"report_names": [
		"zloader-xlm-update-macro-code-and-behavior-change"
	],
	"threat_actors": [],
	"ts_created_at": 1775434054,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c8111d7e50c697689565c127d39236040d858350.pdf",
		"text": "https://archive.orkl.eu/c8111d7e50c697689565c127d39236040d858350.txt",
		"img": "https://archive.orkl.eu/c8111d7e50c697689565c127d39236040d858350.jpg"
	}
}