Once a user enables macros for the malicious document, it will download a ZIP file will from one of seven hardcoded and obfuscated URLs (which will be iterated through until the file is successfully retrieved):
hxxps://midcoastsupplies.com[.]au/configNQS/Es2oE4GEH7fbZ/ hxxp://mtp.evotek[.]vn/wp-content/L/ hxxp://www.189dom[.]com/xue80/C0aJr5tfI5Pvi8m/ hxxps://esentai-gourmet[.]kz/404/EDt0f/ hxxp://139.219.4[.]166/wp-includes/XXrRaJtiutdHn7N13/ hxxps://www.snaptikt[.]com/wp-includes/aM4Cz6wp2K4sfQ/ hxxps://diasgallery[.]com:443/about/R/
The macro will then check if the response is 200 (indicating a success retrieval of the file). If so, it will then check if that file is either a PE File or a Zip file, suggesting that the threat actors may adopt alternative file formats to Zip files containing binary padded PE files.
The macro uses a function that checks the file type of the downloaded payload by examining the first two bytes of the file. It first checks if the first two bytes are equal to the ASCII values of “M” and “Z” (77 and 90, respectively). If so, it returns a value of 1, indicating that the file is a PE file. On the other hand, if the first two bytes are not equal to “M” and “Z,” the function checks if they are equal to the ASCII values of “P” and “K” (80 and 75, respectively). If so, it returns a value of 2, indicating that the file is a Zip file.
The CopyHere() method of the Shell32.FolderItems object is then used to extract the contents of the Zip file to the destination folder, after which the macro deletes the temporary folder files.
Finally, regsvr32.exe is invoked and the