{"id":131137,"date":"2021-11-10T10:13:25","date_gmt":"2021-11-10T18:13:25","guid":{"rendered":"https:\/\/www.mcafee.com\/blogs\/?p=131137"},"modified":"2024-07-09T18:21:37","modified_gmt":"2024-07-10T01:21:37","slug":"the-newest-malicious-actor-squirrelwaffle-malicious-doc","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/","title":{"rendered":"The Newest Malicious Actor: \u201cSquirrelwaffle\u201d Malicious Doc."},"content":{"rendered":"<p>Authored By Kiran Raj<\/p>\n<p>Due to their widespread use, Office Documents are commonly used by Malicious actors as a way to distribute their malware. McAfee Labs have observed a new threat \u201cSquirrelwaffle\u201d which is one such emerging malware that was observed using office documents in mid-September that infects systems with CobaltStrike.<\/p>\n<p>In this Blog, we will have a quick look at the SquirrelWaffle malicious doc and understand the Initial infection vector.<\/p>\n<p>Geolocation based stats of Squirrelwaffle malicious doc observed by McAfee from September 2021<\/p>\n<h2>Infection Chain<\/h2>\n<ol>\n<li>The initial attack vector is a phishing email with a\u00a0malicious link hosting malicious docs<\/li>\n<li>On clicking the URL, a ZIP archived malicious doc is downloaded<\/li>\n<li>The malicious doc is weaponized with <strong><em>AutoOpen<\/em><\/strong> VBA function. Upon opening the malicious doc, it drops a VBS file containing obfuscated <strong><em>powershell<\/em><\/strong><\/li>\n<li>The dropped VBS script is invoked via <strong><em>exe<\/em><\/strong> to download malicious DLLs<\/li>\n<li>Thedownloaded DLLs are executed via <strong><em>exe<\/em><\/strong> with an argument of export function \u201c<strong><em>ldr<\/em><\/strong>\u201d<\/li>\n<\/ol>\n<h2>Malicious Doc Analysis<\/h2>\n<p>Here is how the face of the document looks when we open the document (figure 3). Normally, the macros are disabled to run by default by Microsoft Office. The malware authors are aware of this and hence present a lure image to trick the victims guiding them into enabling the macros.<\/p>\n<h2>UserForms and VBA<\/h2>\n<p>The VBA Userform Label components present in the Word document (Figure-4) is used to store all the content required for the VBS file. In Figure-3, we can see the userform\u2019s Labelbox \u201c<strong>t2<\/strong>\u201d has VBS code in its caption.<\/p>\n<p>Sub routine \u201ceFile()\u201d retrieves the LabelBox captions and writes it to a <strong>C:\\Programdata\\Pin.vbs<\/strong> and executes it using <strong>cscript.exe<\/strong><\/p>\n<p><u>Cmd line<\/u>: <em>cmd \/c cscript.exe C:\\Programdata\\Pin.vbs<\/em><\/p>\n<h2><em>VBS Script Analysis<\/em><\/h2>\n<p>The dropped VBS Script is obfuscated (Figure-5) and contains 5 URLs that host payloads. The script runs in a loop to download payloads using <strong><em>powershell<\/em><\/strong> and writes to <strong><em>C:\\Programdata<\/em><\/strong> location in the format \/<strong>www-[1-5].dl<\/strong>l\/. Once the payloads are downloaded, it is executed using <strong><em>rundll32.exe<\/em><\/strong> with export function name as parameter \u201c<strong><em><u>ldr<\/u><\/em><\/strong>\u201d<\/p>\n<p><strong><em><u>De-obfuscated VBS script<\/u><\/em><\/strong><\/p>\n<p>VBS script after de-obfuscating (Figure-6)<\/p>\n<h2>MITRE ATT&amp;CK<\/h2>\n<p>Different techniques &amp; tactics are used by the malware and we mapped these with the MITRE ATT&amp;CK platform.<\/p>\n<ul>\n<li><em>Command and Scripting Interpreter (T-1059) <\/em><\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\">Malicious doc VBA drops and invokes VBS script.<\/p>\n<p style=\"padding-left: 40px;\"><u>CMD<\/u>: cscript.exe C:\\ProgramData\\pin.vbs<\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li><em>Signed Binary Proxy Execution (T1218)<\/em><\/li>\n<\/ul>\n<p style=\"padding-left: 40px;\">Rundll32.exe is used to execute the dropped payload<\/p>\n<p style=\"padding-left: 40px;\"><u>CMD<\/u>: rundll32.exe C:\\ProgramData\\www1.dll,ldr<\/p>\n<h2>IOC<\/h2>\n<table width=\"623\">\n<tbody>\n<tr>\n<td width=\"96\"><strong>Type<\/strong><\/td>\n<td width=\"300\"><strong>Value<\/strong><\/td>\n<td width=\"72\"><strong>Scanner<\/strong><\/td>\n<td width=\"156\"><strong>Detection Name<\/strong><\/td>\n<\/tr>\n<tr>\n<td width=\"96\">Main Word Document<\/td>\n<td width=\"300\">195eba46828b9dfde47ffecdf61d9672db1a8bf13cd9ff03b71074db458b6cdf<\/td>\n<td width=\"72\">ENS,<\/p>\n<p>WSS<\/p>\n<p>&nbsp;<\/td>\n<td width=\"156\">W97M\/Downloader.dsl<\/p>\n<p>&nbsp;<\/td>\n<\/tr>\n<tr>\n<td width=\"96\">Downloaded DLL<\/p>\n<p>&nbsp;<\/td>\n<td width=\"300\">85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939<\/td>\n<td width=\"72\">ENS,<\/p>\n<p>WSS<\/td>\n<td width=\"156\">RDN\/Squirrelwaffle<\/td>\n<\/tr>\n<tr>\n<td width=\"96\">URLs to download DLL<\/td>\n<td width=\"300\">\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 priyacareers.com<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 bussiness-z.ml<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 cablingpoint.com<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 bonus.corporatebusinessmachines.co.in<\/p>\n<p>\u00b7\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 perfectdemos.com<\/td>\n<td width=\"72\">WebAdvisor<\/td>\n<td width=\"156\">Blocked<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way&#8230;<\/p>\n","protected":false},"author":695,"featured_media":131140,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[4136],"class_list":["post-131137","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>The Newest Malicious Actor: \u201cSquirrelwaffle\u201d Malicious Doc. | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way to distribute their malware. McAfee\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"The Newest Malicious Actor: \u201cSquirrelwaffle\u201d Malicious Doc. | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way to distribute their malware. McAfee\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-11-10T18:13:25+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-10T01:21:37+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/11\/300x200_Squirrelwaffle.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"300\" \/>\n\t<meta property=\"og:image:height\" content=\"200\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee Labs\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee_Labs\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee Labs\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/\"},\"author\":{\"name\":\"McAfee Labs\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\"},\"headline\":\"The Newest Malicious Actor: \u201cSquirrelwaffle\u201d Malicious Doc.\",\"datePublished\":\"2021-11-10T18:13:25+00:00\",\"dateModified\":\"2024-07-10T01:21:37+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/\"},\"wordCount\":498,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/11\/300x200_Squirrelwaffle.jpg\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/\",\"name\":\"The Newest Malicious Actor: \u201cSquirrelwaffle\u201d Malicious Doc. | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/11\/300x200_Squirrelwaffle.jpg\",\"datePublished\":\"2021-11-10T18:13:25+00:00\",\"dateModified\":\"2024-07-10T01:21:37+00:00\",\"description\":\"Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way to distribute their malware. McAfee\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/11\/300x200_Squirrelwaffle.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/11\/300x200_Squirrelwaffle.jpg\",\"width\":300,\"height\":200},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"The Newest Malicious Actor: \u201cSquirrelwaffle\u201d Malicious Doc.\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad\",\"name\":\"McAfee Labs\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg\",\"caption\":\"McAfee Labs\"},\"description\":\"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.\",\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee_Labs\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"The Newest Malicious Actor: \u201cSquirrelwaffle\u201d Malicious Doc. | McAfee Blog","description":"Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way to distribute their malware. McAfee","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"The Newest Malicious Actor: \u201cSquirrelwaffle\u201d Malicious Doc. | McAfee Blog","og_description":"Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way to distribute their malware. McAfee","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2021-11-10T18:13:25+00:00","article_modified_time":"2024-07-10T01:21:37+00:00","og_image":[{"width":300,"height":200,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/11\/300x200_Squirrelwaffle.jpg","type":"image\/jpeg"}],"author":"McAfee Labs","twitter_card":"summary_large_image","twitter_creator":"@McAfee_Labs","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee Labs","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/"},"author":{"name":"McAfee Labs","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad"},"headline":"The Newest Malicious Actor: \u201cSquirrelwaffle\u201d Malicious Doc.","datePublished":"2021-11-10T18:13:25+00:00","dateModified":"2024-07-10T01:21:37+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/"},"wordCount":498,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/11\/300x200_Squirrelwaffle.jpg","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/","name":"The Newest Malicious Actor: \u201cSquirrelwaffle\u201d Malicious Doc. | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/11\/300x200_Squirrelwaffle.jpg","datePublished":"2021-11-10T18:13:25+00:00","dateModified":"2024-07-10T01:21:37+00:00","description":"Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used by Malicious actors as a way to distribute their malware. McAfee","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/11\/300x200_Squirrelwaffle.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2021\/11\/300x200_Squirrelwaffle.jpg","width":300,"height":200},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/the-newest-malicious-actor-squirrelwaffle-malicious-doc\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"The Newest Malicious Actor: \u201cSquirrelwaffle\u201d Malicious Doc."}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/86f325fa6532a017d06d6b49a2f3b1ad","name":"McAfee Labs","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/af947d76ffbef8521094b476cf8050c3","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/07\/Social-Media-PF-Logo-Pic-300x300-2-96x96.jpg","caption":"McAfee Labs"},"description":"McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information.","sameAs":["https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee_Labs"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee-labs\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/131137","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/695"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=131137"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/131137\/revisions"}],"predecessor-version":[{"id":196311,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/131137\/revisions\/196311"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/131140"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=131137"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=131137"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=131137"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=131137"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}