2020 Review: How APTs leveraging Malicious Document

Posted by Fareed Fauzi


In this post, we will review the malicious document techniques used by the APTs as part of their weaponization in delivering their malware to the victims mainly focus on the year 2020.

JhoneRAT Malware: Template Injection

A new remote access trojan called JhoneRAT rises since November 2019 actively targetting Middle East countries. The RAT uses malicious documents as part of their initial vector to the victims which then uses various cloud services (such as Google Drive and Google Forms) in the macro to avoid URL blocklisting as part of the malicious’s infection process.

Three identified malicious Microsoft Office documents were used as part of the decoy document implement template injection which leads to macro execution.

Document 1: Urgent.docx

The content of the first document shown in Figure 1 containing Arabic + English words baits the victim to click the "Enable Editing" button.

Figure 1: Content of the Urgent.docx

Figure 2: Arabic words translated into English

Document 2: fb.docx

The second document contains usernames and passwords of leaked Facebook Accounts.

Figure 3: fb.docx containing Facebook credentials

Document 3

The third document was alleged to be from the UAE Ministry of Foreign Affairs.

Figure 4: Document was blurred to bait user to click enable content.

Inspection of the all setting.xlm.rels in the three decoy documents reveals a template injection technique was used by the attacker as part of their initial vector. The macro document was hosted on Google Drive.

Figure 5: setting.xlm.rels of 1st document

Figure 6: setting.xlm.rels of 2nd document

Figure 7: setting.xlm.rels of 3rd document

Macro analysis

The dotm template document containing a Macro with a module. 

The macro content:

The macro contains a virtual machine detection technique by executing a WMIC command to get the serial number of the disk on the targeted system. Virtual machines do not have any serial numbers, thus, running the macro in a virtual machine environment result the module "st" will not be executed. If a serial number exists, the "st" module will be executed. 

Module content:

Line 31-49 will download the content of the google drive which supposedly a picture and save it as .jpg with the name array "cartoon", "img", "photo".

The jpg file containing base64 strings first will be split by "****" characters at line 25-29. Then it will be decoded as binary (.exe) generate based on the name array "proc", "chrome", "WinRAR" at lines 51-84. And last, it will execute the executable at line 69.


The adversary uses a template injection technique containing a template document with a macro. The macro will download a picture from Google Drive which then will decode a base64 as executable binary and execute the executable file.

APT‑C‑23, Pierogi campaign: .doc Macro Attack

The majority of infections in Pierogi's campaign did not originate from Malicious Microsoft Word documents, instead of using the malicious executable files. 

Based on the research from the Cybereason Nocturnus team [1], they found several weaponized Microsoft Word documents with an embedded downloader macro that downloads and installs the backdoor used in this attack. One of them is a doc file with the Arabic file name "السيرة الذاتية منال1" and the second one was name with "Employee-entitlements-2020" as shown in the below figure.

Figure 8: APT-C-23 samples

Both of the files are MS Office 97-2003 files containing the macro.

Figure 9: السيرة الذاتية منال1.doc

The document shown in Figure 9 contains a resume of a woman from Abu-Dis, Palestinian

Figure 10: Employee-entitlements-2020.doc

The content of Employee-entitlements-2020.doc is a statement of the Ministry of Finance on civil and military employee benefits and salaries, discussing the controversial issue of Palestinian Authority employees that have not been paid or paid in full their salaries.

The content of the macro:

Clicking on the Enable Content button will cause the macro code to be executed. The macro code embedded in both documents files is not obfuscated, thus make our analysis easy and straight forward.

It simply downloads base64 string from URL hxxp://linda-callaghan[.]icu/Minkowski/brown and saves it as C:\ProgramData\IntegratedOffice.txt. The code then reads the text file and decode the base64 into the executable name as C:\ProgramData\IntegratedOffice.exe. At line 53-57, the macro will execute IntegratedOffice.exe and delete IntegratedOffice.txt.

The only difference between both macros is the download link, text file name, and executable file name.

Figure 11: diff command on both macros


The documents was been used as weaponization by the adversary which containing macro in the MS Office 97-2003 file.

Gamaredon Group: Template Injection

Based on MITRE [2], Gamaredon Group aka Primitive Bear is an adversary attributed to the Russian Federal Security Service that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government.

In November 2019, Ukrainian CERT (CERT-UA) reported a Gamaredon Cyberattacks against
military targets used malicious documents as part of their weaponization.

Figure 12: Decoy document

The lure document is written using the Ukrainian language mixed with special characters as shown in the above figure.

Figure 13: Template injection in setting.xlm.rels

Upon extracting the document, setting.xlm.rels containing a remote template injection which could lead to macro execution if a victim enables the content. The dot file was hosted at hxxp://win-apu[.]ddns[.]net/apu.dot. A .dot is a document template file for Microsoft word.

Figure 14: Macro content of apu.dot

Line 4-23 used to write two registry keys in "HKCU\Software\Microsoft\Office\" & Application.Version & _"\Word\Security\" and declare some of the variables such as URL, the path of executable, and path of a VBS file.

The registry setup on line 14 is used to enable AccessVBOM. When this setting is enabled, the MS Office will trust all macros and run any code without showing a security warning or requiring the user’s permission. While on line 15, it used to disable VBAWarnings which will enable all macros without showing the warning.

Line 25-35 (the original code has 151 lines) used for the writing of the VBS code in the Startup folder to make a persistence mechanism of their malicious file with the name “templates.VBS” declared at line 23. So, when the victim restarts their PC after been infected, the VBS file will be executed automatically.

The VBS file then will continue to do malicious activities.

Vicious Panda, The COVID Campaign: RTF exploit

Based on Check Point [3], their researcher discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus pandemic. They used embedded exploit of RTF document as initial access in their targets. 

One of the documents was written in the Mongolian language. Based on the header of the document, the document allegedly from the Mongolian Ministry of Foreign Affairs.

Figure 15: Information on Corona Virus in the document in the Mongolian language

The RTF was weaponized using a famous tool named RoyalRoad which is commonly used by Chinese APT. 

Figure 16: rtfobj result

As we run rtfobj on the file, we can clearly see an object named 8.t indicate RoyalRoad exploit kit was being used to build this RTF. This tool is not open-source software, yet it’s shared between multiple APT related to Chinese actors.

Based on the nao-sec researcher [4], the RTFs generated by RoyalRoad is supposed to satisfy the following two conditions:
  1. Exploit the vulnerability in the Equation Editor --> see figure 16 at id 1
  2. Have an object named 8.t in the RTF --> see figure 16 at id 0
Source: https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html

To find the version of the Royal Road, we're going to use rtfdump.py to dump our interested object and find the 8.1 encode hex byte in HxD or object pattern using a text editor.

Figure 17: rtfdump.py result

Because of obfuscation, there are a lot of them. To reduce the output but filtering for the entries that potentially contain the embedded objects, we can use -f O as shown in the figure below.

Figure 18: Filtering object

Our interesting object will be 331. To dump the object, issue parameter -s 331 -H -d > output

Another way to dump is by using rtfobj with parameter -s 1 -o .

Open the output file in Hex editor and start looking for the version based on this table by the nao-sec researcher.

Figure 19: RoyalRoad pattern

Finding the object pattern using the search feature in the text editor will lead us to the version of the Royal Road. 
Figure 20: Object pattern version 4-7 detected

To know which exact version being used, we can also search for the object string in a text editor.

Figure 21: Object string for version 7x detected

So, after the victim opens the specially crafted RTF document, and the Equation vulnerability is exploited, a file named intel.wll is dropped into the Word startup folder which continues the malicious actions in the victim's machine.

APT36: Excel Macro

APT36 is a Pakistan state-sponsored threat actor mainly targeting India. APT36 performs cyber-attack operations with the intent of collecting sensitive information from India. Red Drip team reported that APT36 was using a decoy health advisory document to spread their Remote Administration Tool (RAT) to the victims.

Below document, used by APT36 to spreads fake corona virus health advisory.

Figure 22: Decoy document contains a malicious macro code

Upon opening the XLS file, we will be greeted by the Microsoft Excel Security Notice saying the file containing macros and need to be enabled.

Figure 23: Warning from Excel

Enabling the Macros will allow the macro code to be executed and the excel will spawn a child process named dhrwarhsav.exe shown in the figure below.

Figure 24: Process hacker show child process of Excel.exe

Dumping out the malicious macro using oledump resulting below code:
Line 4-6:
  • When the Workbook is opened by a victim, it will call function userAldiLoadr which resides in Stream 12 start at line 47.
Line 54-64
  • It first declares the variable name of the file with the string dhrwarhsav same as the filename of the child process executable in Figure 24.
  • Then it creates directory names Edlacar and Uahaiws in ProgramData.
Figure 25: Edlacar and Uahaiws created

Line 69-784
  • First, check the OS version.
  • Then, the macro will get the RAT payload in zip format (in decimal) stored in one of the two textboxes in UserForm1 shown below.
Figure 26: UserForm1 content zip file

If we copy all the decimal numbers, remove ":" char, and decode it using CyberChef shown in figure 27, we will have the zip file and you can download and extract the zip file manually.

Figure 27: Convert the decimal into the zip file

  • Then it drops the zip into the Uahaiws folder and unzips its content using the “UnAldizip” function at line 36, dropping the executable into the Edlacar directory. Finally, it executes the executable shown in lines 41-42.

Kimsuky: Template Injection

Kimsuky is a North-Korean threat actor group. In early March 2020, this actor began using spear-phishing emails with COVID-19 in the subject with Docx attachment as their initial attack vector.

Figure 28: Content of the document

Upon opening the lure document, a victim will be greeted by a message asking for enabling the macro but the Enable Content prompt was not show as we suspect the remote template does not up anymore. Based on Figure 28, the decoy document likely targeting Mac users.

Supposedly, after enabling the content, the target in word/_rels/setting[.]xml[.]rels is triggered and load a Microsoft document template from the URL shown in the figure below.

Figure 29: hxxp://crphone.mireene.com/plugin/editor/Templates/normal[.]php?name=web host the template injection

The remote template document contains malicious macro code as following code:
Based on the code in the malicious macro above, this macro likely designed to target Mac and Windows users. At lines 22-26, we can see the macro will request and execute a Python code (fileless) hosted in hxxp://crphone[.]mireene.[]com. 

The rest malicious action will be done by the Python code completely in memory.


There is a lot of malicious documents released by APTs group actors in 2020 as we can't cover it all in a short blog post. The APT leverages various of techniques consisting DDE attack, Macro, Template Injection, RTF with exploit and Excel 4.0 Macro.

Others APTs leveraging malicious document:
  1. Patchwork (APT-C-09): Excel Macro
  2. Hades: .doc Macro
  3. TA505: Excel Macro
  4. Calypso Group: RTF with exploit (Royal Road)
  5. Ursnif Campaign: .doc Macro
  6. Ramsay toolkit v1-v2: CVE-2017-0199
  7. Hangover threat group (aka Neon, Viceroy Tiger, MONSOON): RTF with exploit
  8. TA410: .doc Macro
  9. APT40: Template Injection
  10. FakeSecurity: Excel Macro
  11. APT36: .doc Macro
  12. Gorgon APT: RTF with exploit CVE-2017-11882
  13. Hidden Cobra: Template Injection
  14. Hidden Cobra: .doc Macro
  15. APT-C-43: .doc Macro
  16. Lazarus: .doc Macro
  17. TA413: RTF with exploit 
  18. MuddyWater: Excel Macro
  19. Bandook malware: Template Injection
  20. APT36: Macro
  21. APT32: .doc Macro
Malicious documents have been common used with the spear-phishing attack in the initial infection phase of an APT attack in the cyber world. Thus, users and organizations need to take precautions and be more alert in facing this type of attack. Implementing security appliances and software is a must to an organization, as the mentioned security parameters will be their last defense against APTs attack.