Alerts & Notice

In the past few days, a malicious Word document sample, believed to be linked to Iranian state-backed hackers, was shared with our team at CERTFA Lab by a community member. Upon the initial analysis, we discovered that this sample includes an OLE object and an AutoOpen macro, which read and decode obfuscated text from UserForm1.TextBox1 into ASCII characters, and then converted from base64 to drop a payload onto the victim's system at C:\Users\Public\Document.exe.