Shares tag: Phishing • Shares 1 IOC • Same author: Ahnlab
사례비 의뢰서 위장 악성 워드 (External 연결 + VBA 매크로)
2021-03-26 • Ahnlab • Malicious word disguised as a reward request (External connection + VBA macro) •
AhnLab analyzed a malicious Word document disguised as a reward-payment request that combined an external template connection with embedded VBA macro code. The document contacted ftcpark59.getenjoyment.net over external and macro URLs, used a deliberately renamed settings.yml macro component, and attempted to weaken Microsoft Office macro security by modifying VBAWarnings registry values across multiple Office versions. When triggered by user input, the macro collected running service and process names and sent them to the C2 endpoint, with AhnLab assessing that additional payload delivery could occur if the server responded.
Indicators of Compromise
| Type | Value | First Seen | Last Seen |
|---|---|---|---|
| DOMAIN | ftcpark59.getenjoyment.net | 2021-03-26 | 2021-09-01 |
| URL | http://ftcpark59.getenjoyment.n… | 2021-03-26 | 2021-03-26 |
| URL | http://ftcpark59.getenjoyment.n… | 2021-03-26 | 2021-03-26 |
| URL | http://ftcpark59.getenjoyment.n… | 2021-03-26 | 2021-03-26 |
Related Reports
Shares tag: Phishing • Same author: Ahnlab • Published within a month
Shares tag: Phishing • Same author: Ahnlab • Published within a week
Shares tag: Phishing • Same author: Ahnlab • Published within a week
Shares tag: Phishing • Same author: Ahnlab
Shares tag: Phishing • Same author: Ahnlab