After opening the document in a vulnerable Microsoft Word application, users are warned that the document is attempting to download externally linked files.
Upon clicking "Yes", and a direct to IP connection to 173.44.42[.]164 is established and the following network events take place.
As shown above, "3Pxi69djmwiIKmc.hta" (VirusTotal and Hybrid-Analysis) was the first download. This file creates two XMLHTTP objects using VBScript which helps to connect and download VBS file which acts as Trojan Downloader. It also creates Shell object to execute HTA file as Internet Explorer Application.
Next, a VBS script, "Km1Dizoq3Jxz.vbs", (VirusTotal and Hybrid Analysis) uses obfuscated code to create paths from which executable “UvnG1Oz9d0.exe” is downloaded and executed.
In the same session, "nJwsm39La.html” then deletes both the VBS and executable file.
VirusToatal Analysis of the payload, “UvnG1Oz9d0.exe”, (VirusTotal and Hybrid-Analysis) confirms that it is Quasar Spyware, a Remote Access Trojan (RAT).
Once the download is complete, the binary is executed and post-infection traffic started.
Current RSA NetWitness detection populates following meta for the download sessions: