The malware is disguised as a Microsoft Office Word Document by having its usual executable executable icon changed, to trick users into launching it. It will drop a DLL file in %windir%system32 with a random name that is composed of 9 letters (e.g: frjacnwrm.dll) The file will be registered as a Browser Helper Object by making changes to registry values that will affect Internet Explorers behavior. The BHO is used to monitor the users browsing behavior and the gathered data is sent to a domain similar to: http://[removed]idbredov.ru/.”]
Source: https://www.bitdefender.com/blog/hotforsecurity/bitdefender-weekly-review-tricky-word-documents/