exploits a more recent CVE-2015-1641 Microsoft Word vulnerability which it uses to extract embedded malware . The extracted malware is then executed by leveraging a DLL side-loading vulnerability . The DOC file we analysedVulnerability-related.DiscoverVulnerability( SHA1 d336b8424a65f5c0b83328aa89089c2e4ddbcf72 ) was named “ US pak track ii naval dialogues.doc ” . This document exploits CVE-2015-1641 and executes shellcode which drops a legitimate Microsoft executable along with a trojanised DLL named “ ChoiceGuard.dll ” . The shellcode then executes the Microsoft executable , causing the malicious DLL to automatically be loaded into the file when it is run - hence the term `` side-loading '' . The DLL downloads and executes the file-less MM Core backdoor in memory , which uses steganography to hide itself inside a JPEG file . The JPEG contains code to decrypt itself using the Shikata ga nai algorithm . Once decrypted and executed in memory , the MM Core backdoor will extract and install an embedded downloader when it is first run and add it to Windows start-up for persistence . This downloader , which is similar to the first trojanised DLL , is then executed and will download the MM Core JPEG once again , executing it in memory like before . This time MM Core will conduct its backdoor routine which will send off system information and await further commands .