Started tracking this activity when I observed a lot of malicious doc files submitted in VT with dhash value 6801012121018101.
6801012121018101 is the dhash value of the image file (mentioned below) that’s used in the DOC file and all files having this image can be searched in VT using main_icon_dhash:6801012121018101
More info about main_icon_dhash – https://blog.virustotal.com/2019/03/time-for-vt-enterprise-to-step-up.html
A search in VT with the dhash gives 307 Files as of today (16th April 2020) and the first file submission was on 2020-04-01 17:28:44.
Taking a look at one of the recent samples c274495c33118c48992cf25a68272d5d3b6030f5bf9f6aa917cf885c0d807b51 we can see that once macro is enabled, the below PowerShell code gets executed:
The Base64 Strings are decoded to below:
aHR0cDovL3JldHJvYmFuZC51ay93cC1jb250ZW50L3VwbG9hZHMvMjAyMC8wNC9zbGlkZXIvNDQ0NDQ0LnBuZw Decodes to hxxp://retroband[.]uk/wp-content/uploads/2020/04/slider/444444[.]png
QzpcVXNlcnNcUHVibGljXHRtcGRpclxmaWxl Decodes to C:\Users\Public\tmpdir\file
PE File is downloaded from hxxp://retroband[.]uk/wp-content/uploads/2020/04/slider/444444[.]png , gets moved to c:\users\public\tmpdir\file1.exe and is executed. From the below connection, we can see that there is no ‘User-Agent’ for this communication.
The PE file downloaded is QakBot sample afcaa6e39a0b282c4ddccbaaa3ea00d47aa4aaff6e8f43ae5ded2c988ebae412
Taking look at the other malicious doc files, the samples are communicating to to below Malicious URLs (most of them pointing to 444444[.]png), verified that the active ones are still delivering QakBot samples:
DOC/PE File list is uploaded to https://pastebin.com/raw/319K9r7t