Malicious Excel File Using Macro Sheets Being Distributed in Korea (2)

The ASEC analysis team has found multiple distributions of malicious excel file that uses macro sheet (Excel 4.0 Macro) via phishing email. The use of macro sheet is a method commonly used by the distributor, and such method was also used in the distribution of malware such as SquirrelWaffle and Qakbot.

The malware that uses macro sheets was mentioned in the previous blogs as well. The distribution is not that different from previous methods, but considering that the files in similar forms are being massively distributed, users need to take extra caution.

Figure 1. Malicious excel macro file that is being frequently distributed in Korea

Most of the files have the filename of ‘Short-Length English Word-[0-9] {7,10}’ (e.g. biz-106093825.xls, recital-1105217019.xls, miss-1360738092.xls). The following are the files that the ASEC analysis team has found:

  • biz-10682809.xls
  • biz-108566842.xls
  • recital-1105217019.xls
  • miss-1601179456.xls
  • proto-1643065415.xls
  • miss-1360738092.xls
  • record-1844987577.xls
  • record-16733321.xls

Upon executing the excel file for the first time, the hidden sheets shown in the figure below are flashed to the users. These sheets have texts dispersed and hidden by using white-colored texts.

Figure 2. Hidden sheets

Figure 3. Macro code hidden using white color texts, and dispersed

The following is the analysis of macro code hidden and dispersed in the hidden sheet.

It is assumed that the purpose is to use regsvr32.exe for execution by using DownloadToFileA function to access external URLs in the sheet, and download additional malware by designating them as the filename of ‘C:\Datop\test.test’.

The file cannot be downloaded at the moment, thus an error occurs upon executing the macro; however, ‘test.test’ files that the team has obtained are assumed to be banking malware Qakbot.

Figure 4. Macro execution error due to unavailability of external URL connection

If the connection to the external URL is possible downloading additional malware, explorer.exe (Windows normal process) is executed and injected to shellcode to perform additional malicious behavior. The behavior of modifying the task scheduler for default execution persistence and POST connection for C2 is also confirmed in the Qakbot malware. See below for more information.

Figure 5. Execution behavior of explorer.exe found in the process tree

Figure 6. C2 found in memory

Additionally, information collected about the infected system is sent to C2 via POST connection. General information including OS version, number of bits, username, computer name is also collected via the following system utility commands.

Figure 7. Process of information collection of infected system using AhnLab RAPIT

As files with similar filenames are frequently being distributed, users must refrain from opening attachments in email from unknown sources. It is also recommended to update the running anti-malware software to the latest version regularly.

AhnLab’s anti-malware product, V3, detects and blocks the malware using the alias below.

[File Detection]

[Behavior Detection]


Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

0 0 votes
Article Rating
Inline Feedbacks
View all comments