{ "id": "739c1a6e-f0cc-45a2-86e7-8f6c006e59b2", "created_at": "2026-04-06T00:07:00.431654Z", "updated_at": "2026-04-10T03:23:52.02454Z", "deleted_at": null, "sha1_hash": "edc89cb7ffe5aeef440809495600cfd285db93cf", "title": "Advancements in Invoicing - A highly sophisticated way to distribute ZLoader", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 386724, "plain_text": "Advancements in Invoicing - A highly sophisticated way to\r\ndistribute ZLoader\r\nPublished: 2021-03-05 · Archived: 2026-04-05 18:22:27 UTC\r\nClassic invoicing campaigns\r\nSpam campaigns using this new distribution chain first started to appear in early February 2021. The content of\r\nthe emails follow the long-standing simplistic style of invoicing scams. While the message body varies, it contains\r\nonly a couple of basic sentences, for example asking recipients to review all information attached, claiming to be\r\nnew taxation rules from the Internal Revenue Service (IRS), posing as a bill already processed, or a similar lure\r\nalong those lines. What they have in common is a Microsoft Word attachment in MHTML format with a randomly\r\ngenerated filename.\r\nFirst Stage: MHTML attachments and ActiveMime\r\nOne advantage of the MHTML format is its compatibility with web-based technologies. There is no visible\r\ndifference using this format over the more typical OLE or DOCX, but it has been popular amongst cybercriminals\r\nfor years due to the technical challenges it might pose to security products.\r\nTaking a closer look at the internal structure of the document, there is an HTML component with the same name\r\nas the MHTML file, a couple of small XML descriptors, a PNG image and an “editdata.mso” object.\r\nhttps://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader\r\nPage 1 of 9\n\nThis last MSO object is actually an ActiveMime binary containing compressed data, but fortunately the algorithm\r\nused is the quite popular zlib. Once decompressed (inflated) we will be presented with a traditional OLE\r\ndocument.\r\nUserForms\r\nExamination of the newly acquired OLE document reveals multiple UserForms and the presence of VBA macros.\r\nThat alone would make it suspicious, but the macro code is obfuscated and won't give away its intended\r\nfunctionality very easily. This is where the real fun begins.\r\nhttps://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader\r\nPage 2 of 9\n\nIf we were to open the original attachment by simply double clicking on it - and Microsoft Word was rightfully\r\nconfigured to have macros disabled - a short message would be displayed asking the user to enable content. This\r\nshould never be done when dealing with documents from unknown sources, as it will immediately enable macros\r\nand lead to their execution - which is exactly the case here.\r\nSome VBA Magic\r\nAs stated earlier, the VBA project contains a lot of forms and functions. We’ll start investigating the macro that\r\nexecutes upon closing of the document (Document_Close):\r\nThe function “tg” requires an object from UserForm2, so this resource needs to be initialized.\r\nhttps://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader\r\nPage 3 of 9\n\nThat means execution will redirect to the appropriate UserForm_Initialize function.\r\nThe above code is looping through all instances of the entries in the UserForm2/o object, which looks like this:\r\nThis is a rather complicated structure to parse, and documentation on it is sparse at best.\r\nhttps://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader\r\nPage 4 of 9\n\nAt the time of writing, we processed all entries in this table to generate the content of the “qj” variable. The result\r\nof that is going to be an URL:\r\nhttps://tanikku[.]com/tan.php?IUI92CaHF9AKOFsJA2V7ZSK5ylpeDYQj \r\nThe rest of the “tg” function then creates an object via CreateObject(“excel.application”) and uses the\r\nCallByName function to request Excel to “OpEn” a new spreadsheet by this URL with the addition of a password\r\n(“gomrhd”) which was gathered from the UserForm1/o object.\r\nFinally, Excel will start to download and decrypt a spreadsheet from the specified C2.\r\nSecond Stage: An encrypted Excel document\r\nHaving an encrypted document or archive as the ignition point of an infection chain is a decade old technique used\r\nby cybercriminals. There are clear benefits, the on-access security components won't be able to dissect the file\r\nwithout having the right password. There are also downsides, the password must be included in the original email\r\nmessage and a basic level of user interaction is required for entering it. This could raise suspicion and there is\r\nalways the possibility of user failure as well. The appearance of a password input field in the middle of an\r\ninfection chain would be even more suspicious. Using macros in one document to load another - a password\r\nprotected and encrypted Excel sheet - is taking best of both worlds; the Excel file will be somewhat invisible to\r\nany typical on-access scanner on the endpoint, while no user interaction will be necessary at all.\r\nHaving the matching password, we can also investigate the content of the downloaded spreadsheet. There are no\r\nmacros present, but a total of 5 sheets, some containing strings and Excel functions in seemingly random\r\ncells/order, and a large blob of encoded data in sheet 4. Anybody with previous experience working with encoded\r\ncontent will easily see that base64 encoding is used.  \r\nhttps://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader\r\nPage 5 of 9\n\nA protected container\r\nIf we consider the base64 data to be the final payload, we must also locate the piece of code responsible for\r\ndecoding and loading it. For that we will have to go back to the VBA macros in the ActiveMime object. There is a\r\nfair amount of macro code for grabbing strings and data from those “random” cells in the other Excel sheets for\r\nthe purpose of building and executing additional functions with “CallByName”. Covering all of them is outside of\r\nthe scope of this blog.\r\nAt last, the decoding and execution of the payload is done by the “ThisWorkbook.gykvtla” function. The “hp”\r\nvariable contains the base64 encoded data, while “bu” is a numeric value meant to specify the type of the payload\r\n(even number=EXE, odd number=DLL).\r\nhttps://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader\r\nPage 6 of 9\n\nThis way, the downloaded Excel file acts more as protected storage, containing strings and data necessary for\r\nsuccessful execution, as well as the encoded payload. Neither the MHTML document nor the Excel spreadsheet\r\ncan work on its own and content of the latter is hidden from prying eyes.\r\nThird Stage: Payload\r\nAs pointed out above, the embedded “gykvtla” Excel function acts as a simplistic loader for the final payload. It\r\nemploys obfuscation - mainly using IIF and SWITCH functions – but retrieving its core functionality isn't too\r\nchallenging. First it would generate a 6-character long string used as a filename, then the base64 encoded data on\r\nsheet4 would be decoded and saved under the ProgramData folder. Depending on whether the payload is a\r\nstandard Portable Executable (PE), or a Dynamic Link Library (DLL) execution would slightly differ, while the\r\nEXE will be done alone with the help of “WScript.Shell”, the DLL will be loaded using the rundll32 windows\r\nutility. Finally, there is a GET request sent to the C2 (hxxps://tanikku.com/kku.php) which provides a status report\r\non the successful infection.\r\nhttps://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader\r\nPage 7 of 9\n\nThe payload in this specific campaign was ZLoader, a highly popular multi-purpose malware which can act as a\r\nbanking trojan, but also used to help distributing ransomware families in the past such as Ryuk and Egregor. How\r\nthe operators behind these campaigns plan to utilize ZLoader's powerful capabilities is yet to be seen.\r\nConclusion\r\nInvoice-themed spam campaigns rarely offer new and challenging delivery techniques. While the spammed emails\r\nlack finesse, the rest of the infection chain demonstrates a high level of understanding of various Microsoft Office\r\nfile formats and how they can be used in combination. It is well thought out, fairly complex, but also lacks any\r\nunnecessary overcomplication, a mistake typically done by juniors. Creators of this delivery chain are showcasing\r\nskills from the higher tiers of the cybercriminal pyramid, as such extra vigilance is needed to counter it.\r\nProtection Statement\r\nForcepoint customers are protected against this threat at the following stages of attack: \r\nStage 2 (Lure) – Malicious emails associated with these attacks are identified and blocked.\r\nStage 5 (Dropper File) – Malicious files are prevented from being downloaded.\r\nStage 6 (Call Home) – Attempts to contact C2 servers are blocked.\r\nIOCs\r\nFiles\r\n6cd67f6ce51c3a57f5d9a65415780ee8ef9ee44c\r\nhttps://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader\r\nPage 8 of 9\n\nf762d7e999c3f1fa768aba1c0469db1a1596b69e\r\n98727b1b6826e2816f908c08b15db427c875ca53\r\nURLs\r\nhxxps://tanikku[.]com/tan.php\r\nhxxps://tanikku[.]com/kku.php\r\nhxxps://fiberswatch[.]com/watch.php\r\nhxxps://heftybtc[.]com/hef.php\r\nhxxps://dailyemploy[.]com/day.php\r\nhxxps://findinglala[.]com/down/doc.xls\r\nhxxps://sejutamanfaat[.]com/faat.php\r\nhxxps://earfetti[.]com/post.php\r\nhxxps://evalynews[.]com/post.php\r\nhxxps://sanciacinfofoothe[.]tk/post.php\r\nhxxps://enriwetmiti[.]tk/post.php\r\nSource: https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader\r\nhttps://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader" ], "report_names": [ "invoicing-spam-campaigns-malware-zloader" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434020, "ts_updated_at": 1775791432, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/edc89cb7ffe5aeef440809495600cfd285db93cf.pdf", "text": "https://archive.orkl.eu/edc89cb7ffe5aeef440809495600cfd285db93cf.txt", "img": "https://archive.orkl.eu/edc89cb7ffe5aeef440809495600cfd285db93cf.jpg" } }