The ASEC analysis team discovered a malicious word document disguised as ‘Purchase and Sales Agreement for Export-bound Gold Bars’ and would like to inform the readers about it through this post. Judging by the title and body text of the original document on which the distributed document is based, it appears that the original was created in the past and was recently distributed following a revision.
- Document Title: 1MT Business Terms-20140428.doc
- Document Information: Last Printed Date – April 20th, 2014
Last Modified Date – August 14th, 2021
The file is protected and once the internal malicious macro is run, it removes protection and the image inserted by the attacker to show the content.
Note that the password used to remove protection is the same as the one used by the malware introduced in an ASEC blog post: ‘Malicious North Korea-related Materials.’ The document was also mentioned by a global Twitter post below as a Kimsuky-related APT malware.
- Protection removal password that was also used in North Korea-related malware: 1qaz2wsx
Sub AutoOpen()
On Error Resume Next
Application.ActiveWindow.View.Type = wdPrintView
Set wnd = ActiveDocument
wnd.Unprotect "1qaz2wsx"
ViewPage ("pic")
wnd.Save
Set ob_tmp = Application.Templates
Dim tmp As Template
For Each tmp In ob_tmp
If tmp.Type = 0 Then
MainPage (tmp.Path)
Exit For
End If
Next
End Sub
Code 1. Function included with feature to remove document protection

This document creates an XML file that prompts to access a malicious URL in a certain path and runs it with wscript.exe. While it seems that the document will connect to the URL shown below and perform additional malicious behaviors, the team could not check further as the network is currently disabled.
- XML Creation Path: c:\Users\[user name]\AppData\Roaming\Microsoft\Templates\1589989024.xml
- Connection URL: hxxp://regedit.onlinewebshop[.]net/hosteste/rownload/list.php?query=1
As always, the team urges users not to open document files with unknown sources and recommends updating V3 to the latest version. AhnLab’s anti-malware product, V3, detects and blocks the malicious document using the aliases below.
[File Detection]
Downloader/DOC.Malscript
Downloader/DOC.Generic.S1649
[IOC]
fd2829488c4172ffc97700fbc523d646
hxxp://regedit.onlinewebshop[.]net/hosteste/rownload/list.php?query=1
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information