https://hexpysya.github.io/tags/doc/Recent content in Doc on bubka hacks stuffHugo -- gohugo.ioen-usWed, 18 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-obfuscated/Wed, 18 Mar 2026 00:00:00 +0000https://hexpysya.github.io/investigations/cdef-obfuscated/A malicious Word document uses a password-protected AutoOpen macro to drop and execute js script, which decrypts an embedded blob into stage2.js. It is a implant that establishes persistence via a hidden scheduled task, collects system reconnaissance, and beacons to two compromised WordPress C2 servers, downloading and executing a next-stage .pif payload