An analysis reveals the distribution of XLoader info-stealer through phishing emails exploiting the MS Equation Editor vulnerability (CVE-2017-11882). The attack begins with a DOCX file containing an RTF document that creates a VBE file in a temporary folder. This VBE file, built using HorusProtector, contains the final malware and creates registry keys for execution. The malware process injects into RegAsm.exe and executes the XLoader info-stealer. The distribution method has evolved from single VBE files to Office documents with embedded vulnerabilities, indicating persistent risks in unpatched environments. Users are advised to update their Office products and exercise caution when opening email attachments from unknown sources.