{ "id": "bbff1a74-c70e-457b-882d-3a59a19ebd3f", "created_at": "2026-04-06T00:15:01.01192Z", "updated_at": "2026-04-10T13:12:58.128915Z", "deleted_at": null, "sha1_hash": "e4627845657f2054722f105ab74ef1a13499fd77", "title": "Part 1: Quick analysis of malicious sample forging the official dispatch of the Central Inspection Committee - VinCSS Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 112235, "plain_text": "Part 1: Quick analysis of malicious sample forging the official\r\ndispatch of the Central Inspection Committee - VinCSS Blog\r\nBy Yến Hứa\r\nPublished: 2021-05-12 · Archived: 2026-04-05 14:49:37 UTC\r\nThrough continuous cyber security monitoring, VinCSS has discovered a document containing malicious code\r\nwith Vietnamese content that was found by ShadowChaser Group(@ShadowChasing1) group. We think, this is\r\nmaybe a cyberattack campaign that was targeted in Vietnam, we have downloaded the sample file. Through a\r\nquick assessment, we discovered some interesting points about this sample, so we decided to analyze it. This is\r\nthe first part in a series of articles analyzing this sample.\r\nFile Name: Thông cáo báo chí Kỳ họp thứ nhất của Ủy ban Kiểm tra Trung ương khóa XIII.docx\r\nSHA-256: 6f66faf278b5e78992362060d6375dcc2006bcee29ccc19347db27a250f81bcd\r\nFile size: 23.51 KB (24072 bytes)\r\nFile type: Office Open XML Document\r\nExtracting this .docx file and examining the extracted .xml files, we discovered that this .docx file was created\r\nand modified on Kingsoft Office software, which is a popular word processing and document creation in China.\r\nhttps://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee/\r\nPage 1 of 7\n\nWe found KSOProductBuildVer = 2052-11.1.0.10228. Search by this value, we guess it could be Kingsoft\r\nOffice 2019 version.\r\nContinue analyzing file with olevba tool:\r\nWith olevba’s results, it can be seen that this document applies Template Injection technique.\r\nThe advantage of this technique is that when the user open the file, it will automatically download\r\nthe Main.jpg file from the address hxxp://45[.]121[.]146[.]88/Apricot/Main.jpg.\r\nhttps://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee/\r\nPage 2 of 7\n\nUp to the time of our analysis, the Main.jpg file is still downloadable:\r\nMain.jpg is an RTF file:\r\nAccording to our analysis experience, these RTF files are often used to exploit vulnerabilities in Equation Editor.\r\nCheck the file with rtfobj:\r\nhttps://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee/\r\nPage 3 of 7\n\nBased on the results in above picture , we can determine that when executing the Main.jpg file, it will drop\r\nthe 5.t file into the %Temp% directory, through exploiting the vulnerability in the Equation Editor to execute the\r\nshellcode, and then decode 5.t and execute this file. At this point, there are two methods to decode 5.t:\r\nMethod 1: use rr_decoder.\r\nUse rtfobj to extract 5.t.\r\nUse rr_decode.py for decoding to get payload:\r\nMethod 2: Let’s the malware to perform its task by opening the RTF file, it will decrypt the 5.t payload\r\nand create a scheduled task to execute this file:\r\nhttps://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee/\r\nPage 4 of 7\n\nCheck the decrypted file (d198c4d82eba42cc3ae512e4a1d4ce85ed92f3e5fdff5c248acd7b32bd46dc75), this is a\r\ndll file with the original name Download.dll. This file has only one exported function which is StartW:\r\nThrough examining the Download.dll file, we see it was built with Visual Studio 2019, linker version 14.28.\r\nTimeDateStamp at build time is Thursday, 01.04.2021 01:59:48 UTC. This value is consistent in TimeDateStamp\r\nin FileHeader and Debug Info, type ILTCG.\r\nhttps://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee/\r\nPage 5 of 7\n\nRichID information identified that the version of Visual Studio 2019 that the hacker is using is 16.8. The current\r\nversion of Visual Studio 2019 is 16.9(.6).\r\nDuring the analysis of this Download.dll file, we discovered indicators of the same code base, reused from a\r\nprevious campaign of an APT Panda group that was targeted in Vietnam. The decoy document of that campaign\r\nis Dt-CT-cua-TTg.doc. Dt-CT-cua-TTg.doc file is also an RTF file, which also takes advantage of Equation’s bug\r\nto execute shellcode and drop the first stage payload. For more information please read here.\r\nIn the next part, we will analyze Download.dll file in detail, showing the similarities in the source code in this file\r\nand other PE files in the later payloads of the above campaign analysis.\r\nTruong Quoc Ngan (aka HTC)\r\nTran Trung Kien (aka m4n0w4r) \r\nMalware Analysis Expert\r\nR\u0026D Center – VinCSS (a member of Vingroup)\r\nhttps://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee/\r\nPage 6 of 7\n\nSource: https://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-commit\r\ntee/\r\nhttps://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://blog.vincss.net/re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee/" ], "report_names": [ "re022-part-1-quick-analysis-of-malicious-sample-forging-the-official-dispatch-of-the-central-inspection-committee" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434501, "ts_updated_at": 1775826778, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e4627845657f2054722f105ab74ef1a13499fd77.pdf", "text": "https://archive.orkl.eu/e4627845657f2054722f105ab74ef1a13499fd77.txt", "img": "https://archive.orkl.eu/e4627845657f2054722f105ab74ef1a13499fd77.jpg" } }