{
	"id": "fdeb64be-4b36-4dcb-9b32-9870a29cd0bb",
	"created_at": "2026-04-06T00:22:24.322115Z",
	"updated_at": "2026-04-10T13:11:50.48144Z",
	"deleted_at": null,
	"sha1_hash": "edeb9e6b5da46802cdf7c16a863a47c9938a07e8",
	"title": "“Squirrelwaffle” Maldoc Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1365100,
	"plain_text": "“Squirrelwaffle” Maldoc Analysis\r\nPublished: 2021-09-18 · Archived: 2026-04-05 12:37:00 UTC\r\nSummary\r\nSquirrelwaffle is an emerging malware threat noted by several security researchers beginning around September\r\n13th. TheAnalyst, @ffforward noted a new payload delivered on the “TR” botnet.\r\nBrad Duncan at Malware Traffic Analysis also observed that this new loader was being delivered by the same\r\n“TR” infrastructure that historically delivered the Qakbot banking trojan. He also noted the name came from a tag\r\nin Proofpoint’s ruleset.\r\nAccording to Duncan,\r\nThe name “Squirrelwaffle loader” was used in Proofpoint’s Emerging Threats ruleset to identify traffic\r\nfrom this malware.\r\nhttps://www.malware-traffic-analysis.net/2021/09/17/index.html\r\nIn this blog, we will take a quick look at a recent Squrrelwaffle maldoc in order to gain some insights into the\r\noperators’ TTPs and the malware’s infection chain that I hope will help other researchers and responders in their\r\nefforts to identify and combat this new threat.\r\nDelivery and Execution\r\nThe recent downloader maldocs appear to be delivered via email campaigns with embedded URLs. Reports also\r\nseem to suggest that the campaigns leverage reply chain threadjacking technique that has been commonly\r\ndeployed in historical Emotet and Qakbot campaigns. If a user clicks on the URL, a ZIP archive containing a\r\nMicrosoft Word document is served.\r\nSquirrelwaffle Execution Chain\r\nThe documents appear to follow the naming convention of “diagram-[0-9]{2,3}/.doc”. These documents are\r\nweaponized with macros per usual (more detail on the scheme below). The macro leverages a cscript process to\r\nextract an embedded VBS script file, writes it to disk, and executes it via a wscript process. That VBS script\r\nhttps://security-soup.net/squirrelwaffle-maldoc-analysis/\r\nPage 1 of 5\n\ncontains an obfuscated PowerShell download cradle that attempts to download the Squirrelwaffel payload from a\r\nseries of five locations.\r\nThe loader is written to the C:\\ProgramData directory with a naming convention “www[1-5]{1}/.dll”, depending\r\non the C2 from which it is retrieved. The DLL is then executed via a rundll32 process with an argument to export\r\nthe “ldr” function. Predictably, a follow on payload has been reported to be CobaltStrike.\r\nCobalt Strike Payload you say?\r\nThe Maldoc\r\nThe Word document is weaponized with VBA macros and leverages a series of scripts to kick off the execution\r\nchain and download the Squirrelwaffle payload. If you are following along at home, the document can be found\r\nhere on VirusTotal:\r\nfilename: inquiry diagram-74.doc\r\nSHA256: 195EBA46828B9DFDE47FFECDF61D9672DB1A8BF13CD9FF03B71074DB458B6CDF\r\nThe document uses a common DocuSign style template, presumably to enhance the perception of security and\r\nbuild a sense of trust with he user. However, the DOC also appears to be composed in Russian, which would\r\nhopefully be a red flag for the end user.\r\nhttps://security-soup.net/squirrelwaffle-maldoc-analysis/\r\nPage 2 of 5\n\nDocuSign Template\r\nStepping into the VBA editor in Word, we can clearly see multiple modules that contain the VBA code that will\r\nkick off the execution chain. The VBA itself is lightly obfuscated, with some variable assignments and string\r\nreversals, but on the whole, it is not difficult to identify the code’s purposes.\r\nThe smoking gun with these malicious macros is always the “Sub AutoOpen()” function, which is the part of the\r\ncode executed immediately when the user enables the macro content. In this case, this function serves as a pointer\r\nto another function called “eFile” in the “bxh” module.\r\nThere is also a UserForm object that has the VBS file (pin.vbs) hidden and embedded as the caption of the\r\nDocuSign image presented in the main DOC file. This UserForm labeled “t2” has a Caption field where the VBS\r\nfile is hidden. The VBS file is then extracted from the Caption field of the Label and subsequently written to disk\r\nin C:\\ProgramData\\pin.vbs.\r\nVBA Modules and UserForm object\r\nApologies, I realized too late that my love for the red arrow knows no bounds.\r\nhttps://security-soup.net/squirrelwaffle-maldoc-analysis/\r\nPage 3 of 5\n\nMe marking up a VBA project\r\nThe VBS file is written with a Loop function that cycles through five different URLs that are each hosting\r\nSquirrelwaffle payloads. It attempts to download these and writes them to disk in C:\\ProgramData and executes\r\nthem via rundll32. The command line is a variation of the below:\r\ncmd/c rundll32.exe C:\\ProgramData\\ww1.dll,ldr\r\nThe script itself is obfuscated fairly simply with just some split variable assignments designed to break up the\r\nstrings such as:\r\nIEX (alias for the Invoke-Expression cmdlet)\r\n(New-Object Net.WebClient).Download\r\nand powershell\r\nhttps://security-soup.net/squirrelwaffle-maldoc-analysis/\r\nPage 4 of 5\n\npin.vbs\r\nMany static detections are based on these particular strings so this indicates at least some minimal attempt at\r\nevasion. However the the URLs hosting the payloads and the commands designed to execute the DLL are clearly\r\nvisible, and could easily be isolated here by running strings or grep from the command line without ever opening\r\nthe DOC itself. The threat actors are likely to change this up in the future in order to frustrate automated analysis\r\nefforts.\r\nConclusion\r\nAnyways, that’s it, my take on a quick analysis of a recent “Squirrelwaffle” maldoc. It will be interesting to track\r\nthese campaigns if they become more prevalent in the future. It is always worthwhile to take a look at adversary\r\nTTPs, and I hope this information will be helpful to investigators that may be looking to extract IOCs and better\r\nunderstand an emerging threat. As more information becomes available I will need to take a deeper dive into the\r\npayload’s capabilities, but will need to save that post for another time.\r\nSource: https://security-soup.net/squirrelwaffle-maldoc-analysis/\r\nhttps://security-soup.net/squirrelwaffle-maldoc-analysis/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://security-soup.net/squirrelwaffle-maldoc-analysis/"
	],
	"report_names": [
		"squirrelwaffle-maldoc-analysis"
	],
	"threat_actors": [],
	"ts_created_at": 1775434944,
	"ts_updated_at": 1775826710,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/edeb9e6b5da46802cdf7c16a863a47c9938a07e8.pdf",
		"text": "https://archive.orkl.eu/edeb9e6b5da46802cdf7c16a863a47c9938a07e8.txt",
		"img": "https://archive.orkl.eu/edeb9e6b5da46802cdf7c16a863a47c9938a07e8.jpg"
	}
}