Threat Research

Malicious Word Documents Using MS Media Player (Impersonating AhnLab) – ASEC BLOG

Securonix

Malicious Word documents impersonating AhnLab are being distributed to corporate users to trigger macros. The attack chain downloads a second Word file containing a VBA macro, uses Windows Media Player to auto-run the code, downloads additional payloads, and persists on compromised systems. #AhnLab #ASEC #WindowsMediaPlayer #OfficeMacro #USOService #naveicoipc

Keypoints

  • Malicious Word files impersonate AhnLab to prompt users to enable macros and download additional payloads.
  • The attack uses an external URL to fetch a second Word file containing malicious VBA code.
  • The macro leverages Windows Media Player (WindowsMediaPlayer1_OpenStateChange) to auto-run, bypassing some AutoOpen detections.
  • Code injects into the Word process and downloads further malware tailored to the host environment before execution.
  • Persistence is achieved by dropping USOService.exe in ProgramData/USOSharedLogs and adding a Run entry (HKCU) to keep it running.
  • Other dropped components (e.g., UpdateChecker.exe) appear in AppData/Local/MicrosoftOffice and other folders, with user prompts to enable content.

MITRE Techniques

  • [T1566.001] Phishing – The attacker distributes malicious Word files impersonating AhnLab to prompt macros. “document … impersonates AhnLab” and “download another Word file containing malicious VBA macro via the external URL and run it.”
  • [T1204.002] User Execution – Malicious File – The Word document prompts users to press Enable Content to execute the macro. “The attacker inserted an image and text to prompt users to press Enable Content.”
  • [T1059.005] Visual Basic – The downloaded file contains a macro written in VBA, using WindowsMediaPlayer1_OpenStateChange to trigger actions. “The macro is written using the WindowsMediaPlayer1_OpenStateChange() function …”
  • [T1105] Ingress Tool Transfer – The macro downloads and runs additional malware from an external URL. “downloads additional malware that suits the user’s PC environment and runs it”
  • [T1055.001] Process Injection – The malware runs after injecting it into the Word process. “…injecting it into the Word process.”
  • [T1547.001] Registry Run Keys/Startup Folder – The dropped payload adds a Run entry so it can be continuously executed. “HKCUSoftwareMicrosoftWindowsCurrentVersionRunWUService registry so that it can be continuously run.”

Indicators of Compromise

  • [Domain] context – naveicoipc[.]tech/ACMS/0lvNAK1t/0lvNAK1t32.acm, naveicoipc[.]tech/ACMS/0lvNAK1t/0lvNAK1t64.acm, and 3 more domains
  • [Hash] ce00749c908de017010055a83ac0654f783e7c3ba39daa28301b841785794d762fec0c6ff8af4484471633aeaa1c99966df608342938f0d30a058c48bb9d8d4d
  • [FileName] NFT split.docx, 202203_BTC_ETH_additional account info.docx, Complaint for fund-raising business without permission.docx, Fund-raising without permission.docx, BTC_ETH automated trading account info.docx, Cryptocurrency_investment plan.docx
  • [URL] hxxp://ZVc1ijAU.naveicoipc[.]tech/ACMS/0lvNAK1t/0lvNAK1t32.acm, hxxp://ZVc1ijAU.naveicoipc[.]tech/ACMS/0lvNAK1t/0lvNAK1t64.acm

Read more: https://asec.ahnlab.com/en/33477/