Keypoints
- Phishing emails using a DocuSign theme deliver a link (hxxp://mettlybothe.com/8/forum[.]php) that downloads the initial malicious Word document.
- Enabling macros triggers Document_Open which runs VBA that targets an embedded OLE object inside the document.
- The VBA uses Selection methods (.MoveDown, .MoveRight, .MoveTypeBackspace) and Selection.Copy to copy the embedded OLE object to the clipboard, causing Word to write the object to %TEMP% as a file (e.g., zoro.kl).
- The dropped file is moved via Scripting.FileSystemObject to AppDataRoamingMicrosoftTemplates and renamed (e.g., zoro.doc), opened with Documents.Open, and is often password-protected.
- The nested document repeats the clipboard drop technique to extract a DLL (e.g., gelforr.dap), which is moved to the Templates folder and executed with rundll32.exe.
- Observed artifacts include specific SHA-256 hashes for the main doc, dropped doc, and DLL, and Procmon logs showing WriteFile events for the temporary files.
MITRE Techniques
- [T1566.002] Phishing – Delivered via spam mail with links to the malicious Word document (‘Spam mail with links’)
- [T1204.001] User Execution – Victim must enable editing/content and open the downloaded link/document to execute macros (‘User Execution by opening the link.’)
- [T1204.002] Execution of Malicious File – The downloaded document is executed to run embedded macros (‘Executing downloaded doc’)
- [T1218] Signed Binary Proxy Execution – Final DLL payload executed using a signed Windows binary, rundll32.exe (‘Signed Binary Execution Rundll32’)
- [T1071] Application Layer Protocol – C2 communication occurs over HTTP (‘HTTP (Hypertext Transfer Protocol) protocol for communication’)
Indicators of Compromise
- [SHA-256] File hashes observed – 915ea807cdf10ea4a4912377d7c688a527d0e91c7777d811b171d2960b75c65c (main doc), c1c89e5eef403532b5330710c9fe1348ebd055d0fe4e3ebbe9821555e36d408e (dropped doc), and 1 more hash.
- [URL] Malicious download link – hxxp://mettlybothe.com/8/forum[.]php (used in DocuSign-themed phishing email)
- [File names] Dropped filenames and locations – zoro.kl → %TEMP% (temporary write via clipboard), zoro.doc (moved to AppDataRoamingMicrosoftTemplates), gelforr.dap (DLL moved to Templates and executed)
The technical procedure begins with a DocuSign-themed phishing email that links to a malicious Word document. When the user enables macros, Document_Open executes a VBA loader that locates an embedded OLE object by moving the Selection cursor (.MoveDown, .MoveRight, .MoveTypeBackspace) and uses Selection.Copy to place the OLE object onto the Windows clipboard. Word’s clipboard write behavior causes the embedded object to be materialized as a file in %TEMP% (example: zoro.kl), which is observed in Procmon as a WriteFile event.
Next, the VBA uses CreateObject(“Scripting.FileSystemObject”) to move and rename the temp file into AppDataRoamingMicrosoftTemplates as zoro.doc and opens it with Documents.Open; the nested document is password-protected (observed passwords include “doyouknowthatthegodsofdeathonlyeatapples?”). The nested document repeats the same clipboard-drop routine to extract an embedded DLL (observed as gelforr.dap), moves it to the Templates folder, and then launches the DLL via rundll32.exe, achieving execution through a signed Windows binary to evade detection.
Key artifacts to inspect during triage are the temporary clipboard-written filenames in %TEMP%, the moved files under AppDataRoamingMicrosoftTemplates, the VBA code paths invoking Selection.Copy and Documents.Open, and related Procmon logs showing CreateFile/WriteFile and the rundll32.exe execution of the dropped DLL. Monitoring for the specific hashes and the malicious download URL can help detect this variant in the wild.
Read more: https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via-clipboard/