Malicious Word File Disguised as ‘Purchase and Sales Agreement for Export-bound Gold Bars’

The ASEC analysis team discovered a malicious word document disguised as ‘Purchase and Sales Agreement for Export-bound Gold Bars’ and would like to inform the readers about it through this post. Judging by the title and body text of the original document on which the distributed document is based, it appears that the original was created in the past and was recently distributed following a revision.

• Document Title: 1MT Business Terms-20140428.doc
• Document Information: Last Printed Date – April 20th, 2014
  Last Modified Date – August 14th, 2021

The file is protected and once the internal malicious macro is run, it removes protection and the image inserted by the attacker to show the content.

Note that the password used to remove protection is the same as the one used by the malware introduced in an ASEC blog post: ‘Malicious North Korea-related Materials.’ The document was also mentioned by a global Twitter post below as a Kimsuky-related APT malware.

• Protection removal password that was also used in North Korea-related malware: 1qaz2wsx

Sub AutoOpen()
    On Error Resume Next
    Application.ActiveWindow.View.Type = wdPrintView
    Set wnd = ActiveDocument
    wnd.Unprotect "1qaz2wsx"
    ViewPage ("pic")
    wnd.Save
    Set ob_tmp = Application.Templates
    Dim tmp As Template
    For Each tmp In ob_tmp
    If tmp.Type = 0 Then
        MainPage (tmp.Path)
        Exit For
    End If
    Next
End Sub

Code 1. Function included with feature to remove document protection

This document creates an XML file that prompts to access a malicious URL in a certain path and runs it with wscript.exe. While it seems that the document will connect to the URL shown below and perform additional malicious behaviors, the team could not check further as the network is currently disabled.

• XML Creation Path: c:\Users\[user name]\AppData\Roaming\Microsoft\Templates\1589989024.xml
• Connection URL: hxxp://regedit.onlinewebshop[.]net/hosteste/rownload/list.php?query=1

As always, the team urges users not to open document files with unknown sources and recommends updating V3 to the latest version. AhnLab’s anti-malware product, V3, detects and blocks the malicious document using the aliases below.

[File Detection]
Downloader/DOC.Malscript
Downloader/DOC.Generic.S1649

[IOC]
fd2829488c4172ffc97700fbc523d646
hxxp://regedit.onlinewebshop[.]net/hosteste/rownload/list.php?query=1

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.