Malwarebytes analyzed a malicious Office document, likely aimed at South Korean government-related targets, that it associates with APT37/ScarCruft based on the injected RokRat payload. The macro used a VBA self-decoding technique to unpack and execute malicious code inside Microsoft Office memory, including a VBOM bypass, mutex creation, and dynamic module injection rather than writing the decoded macro to disk. The final macro created Notepad.exe, allocated memory, wrote shellcode with WriteProcessMemory, and launched it with CreateRemoteThread. The shellcode downloaded an encrypted RokRat variant via a bit[.]ly URL redirecting to Google Drive; the RAT supports screenshot capture, system profiling, credential theft, file management, cloud-service exfiltration, and anti-analysis checks.