The ASEC analysis team is continually reporting malicious documents disguised as North Korea or public institution related materials that are being distributed. In this post, the team will introduce a malicious DOC (Word) document impersonating a U.S. investment bank. See [Figure 1] for more details. The .doc document operates in MAC OS environment and installs a backdoor on the user PC upon being infected.
As shown in Figure 2, the malicious DOC (Word) document has an external . Upon opening the document file, an additional malicious document is downloaded and executed from the URL through external connection. Next, the attacker’s VBA macro code included in that document is run.
These documents are highly likely to have been sent to employees in global investment banks and related overseas companies. Since social engineering technique attacks through impersonation have increased substantially, users must remain vigilant to prevent damage by such attacks. AhnLab’s anti-malware solutions detect and block the files above using the following alias.