Fake Resumes Via Word Files Disguising LockBit Ransomware

by Dylan Connors, IT Services

Our information security office has received word from AhnLab Security Center (ASEC) that LockBit ransomware has been circulating Word files disguised as resumes. This ransomware was one of the most widely used attacks in 2022 according to the Cybersecurity and Infrastructure Security Agency.

These Word files have been sent out as email attachments with file names such as:

  • [[[231227_Yang**]]].docx
  • 231227_Lee**.docx
  • 231227Yu**,docx
  • Kim**.docx
  • SeonWoo**.docx
  • Working meticulously! A leader in communication!.docx
  • Candidate with a kind attitude and a big smile.docx
  • I will work with an enthusiastic attitude.docx

There are also external links within the Word file \word\_rels\settings.xml.rels, and when that file is run malicious macro code is downloaded from the external URL. These documents are suspected to be ones from the past that are being reused. The file includes images encouraging users to run malicious code in their Microsoft Word application. 

Examples of the external URLs:

  • hxxps://viviendas8[.]com/bb/qhrx1h.dotm
  • hxxps://learndash.825testsites[.]com/b/fgi5k8.dotm
  • hxxps://neverlandserver.nn[.]pe/b/ck0zcn.dotm

Examples of identified download URLs of the LockBit ransomware:

  • hxxps://learndash.825testsites[.]com/b/abc.exe
  • hxxps://viviendas8[.]com/bb/abc.exe
  • hxxps://neverlandserver.nn[.]pe/b/abc.exe

It is important to note that these are just the currently known URLs and file names as listed above, so be on the lookout for similar messages.

If you receive an email with an attached Word file “resume” with a name and/or external URLs as listed above or something similar, please exercise extra caution. This is not how emails containing resumes or any file should look. Unless you are expecting an email containing a resume or file, do not open any of the attachments and delete them immediately. If you do open an attachment, do not click on the links within the document. It is important to be aware of any suspicious message you receive with any sort of file attached. 

We encourage you to send these emails as well as any other suspicious messages to That way the information security team can block the senders of these emails and block any sites associated with phishing or ransomware attacks. If you feel you may have responded to a fraudulent email or clicked a link within one, please contact IT Help immediately at 513-529-7900.

To learn more, visit ASEC’s website and read their article about this LockBit ransomware situation.

For more tips about remaining secure online and at Miami, visit the Security Corner.