The distribution method of Dridex through Excel files has been steadily discovered since last year and was introduced on this blog. Recently, the ASEC analysis team found that the Cobalt Strike tool along with Dridex is being distributed with a similar method as before. Yet unlike previous cases, recent Excel documents that are being distributed were found to perform malicious behaviors after a certain time using the task scheduler. It is assumed that the change in the operation method was made to bypass detection and behavior detection in a sandbox environment. Because Dridex and Cobalt Strike had previous cases of subsequently leading to ransomware infection such as DopplePaymer and CLOP, users in company environments should take extra caution.