Malicious HWP Document Disguised as Reunification Education Support Application
On March 5, AhnLab SEcurity intelligence Center (ASEC) found a post recruiting students for a unification-related course, which included a link to download a malicious HWP document.
At the time of analysis, there were download links for JPG, HWP, and DOC files at the bottom of the post. The HWP file among them was identified as a malicious file disguised as an application form.
Figure 1. Download link at the bottom of the post
The downloaded HWP document contains various files, including a normal HWP document and a malicious BAT file. When the HWP document is opened, these files are created in the TEMP folder.
|
File Name |
Description |
| hwp_doc.db | Normal Document |
| app.db (0304.exe, 0304_1.exe) |
Normal Executable (EXE) |
| mnfst.db (0304.exe.manifest) |
Configuration File with Malicious Commands |
| mnfst_1.db (0304_1.exe.manifest) |
Configuration File with Malicious Commands |
| sch_0304.db | Malicious XML file with a task defined |
| sch_0304_1.db | Malicious XML file with a task defined |
| document.bat | Malicious BAT File |
| get.db (0304.bat) |
Malicious BAT File |
Table 1. File created in the TEMP path
The content in the document body is written as if a HWP document is attached, but each string actually contains the same hyperlink (relative path).
Figure 2. Main text of the document
Figure 3. Inserted hyperlink
The document.bat file executed through the above hyperlink ensures that malware can continue to operate, making it difficult for users to detect malicious behaviors.
- Change the file names and paths of other additional files
- Register Task Scheduler
- Execute Normal Document
The following is a normal document that is executed.
Figure 4. Contents of the normal document being executed
Figure 5. Created task scheduler
The 0304.exe and 0304_1.exe files, which are registered as services and executed by the document.bat file, read and execute the 0304.exe.manifest and 0304.exe_1.manifest files, which are located in the same folder. The functions of each file are as follows:
|
File Name |
Function |
| 0304.exe.manifest (mnfst.db) | Run c:\users\public\music\0304.bat (get.db) |
| 0304_1.exe.manifest (mnfst_1.db) | Rename the file wis.db in c:\users\public\music\ to wins.bat and execute it |
Table 2. Functions of the executed malicious file
This malware ultimately accesses an external URL to download and execute additional files. The downloaded file is executed as a .bat file, allowing various command commands to be executed according to the threat actor’s intentions.
Recently, there have been multiple cases of malware being distributed using HWP documents. In particular, since attacks that used to target specific users are now being distributed to the general public, users need to be extra cautious. Site administrators must regularly check their sites to prevent malware from being uploaded, and users must be cautious when additional steps are required to execute a file. Users must also update V3 to the latest version so that malware infection can be prevented.
