Researchers at Proofpoint discovered a Phishing campaign that originated form select job postings on CareerBuilder. The attack starts by submitting a malicious Word document (named resume.doc or cv.doc) to a job posting. The malicious Word files that were sent are also another point of technicality. They exploited a known vulnerability (e.g. CVE-2014-1761 or CVE-2012-0158) In this case, once the document is opened, the exploited vulnerability will place a binary on the system that downloads and unzips an image file, which in turn installs the Sheldor rootkit.”]
Source: https://www.csoonline.com/article/2916524/careerbuilder-listings-used-as-phishing-platform.html