Started tracking this activity when I observed a lot of malicious doc files submitted in VT with dhash value 6801012121018101. 6801012121018101 is the dhash value of the image file (mentioned below) that’s used in the DOC file and all files having this image can be searched in VT using main_icon_dhash:6801012121018101 More info about main_icon_dhash – […]