Malicious Word Document Disguised as Profile Template File for Summer Academic Conference Being Distributed

In June this year, the ASEC analysis team introduced a malicious word document assumed as a targeted attack. Recently, the team confirmed that malware of the same type is being distributed with new content. It was distributed through mails with the sender impersonating an admin of a summer academic conference in Korea (see Figure below). The mail had an attachment named ‘[** Summer Academic Conference]_Profile Template.doc’ which prompts the user to fill out the form.

Distributed email

The figure below is the word file attached to the mail which has macro within the file. Both the author and the modifier of the document are the same as those in the previously discovered document ‘Compensation Claim Form,’ so it is likely that both documents were distributed by the same attacker (https://asec.ahnlab.com/en/24443/).

Property of document
Malicious word file

Like ‘Compensation Claim Form,’ simply opening the file does not activate malicious behaviors. The malicious macro is run when the user enters texts in the document. When the macro is run, it downloads data from the following URL and saves it as the %APPDATA%\desktop.ini file.

  • Download URL: hxxp://daewon3765.cafe24.com/about/down/download.php?filename=[user name]

Afterward, it executes the desktop.ini file with a command in Excel through the ExcelApp.ExecuteExcel4Macro(cmd) function as shown below. As the team could not currently access the URL that downloads additional data, it could not check what the malware does after.

  • call(“kernel32”, “WinExec”, “JFJ”, “wscript //e:vbscript //b “”C:\\Users\\[user name]\\AppData\\Roaming\\desktop.ini”””, 5)
Process Tree

Additionally, by checking the sender ID of the mail that distributed the malware, the team discovered a blog that has the malicious script.

  • Blog URL: hxxps://kaisjovtnal.blogspot.com
Web page assumed to be created by the same attacker

The malicious script is encoded with Base64 and performs the same feature as the script existing in the attacker’s web page (hxxps://smyun0272[.]blogspot[.]com/2021/06/dootakim[.]html) of ‘Compensation Claim Form.’
When the script is run, it changes the value of HKCU\Software\Microsoft\Office[Version].0\Word\Security\VBAWarnings to 1 so that the macro can automatically run. Also, it collects certain information from the user PC and sends it to C2. The script checked on 29th used deawon3765.cafe24[.]com, but the current C2 is changed as you can see below.

  • C2 Before Change: hxxp://daewon3765.cafe24.com/about/post/info.php
    C2 After Change: hxxp://taesan109.myartsonline.com/about/post/info.php
List of running service processes
List of recent files
User name
Operating System information
Office version information
.NET version information
List of desktop files
List of apps pinned to taskbar
List of collected information

AhnLab’s anti-malware product, V3, detects and blocks the files above using the aliases below.

[File Detection]
Trojan/DOC.Agent

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments