# [QuickNote] Analysis of malware suspected to be an APT attack targeting Vietnam **kienmanowar.wordpress.com/2022/01/26/quicknote-analysis-of-malware-suspected-to-be-an-apt-attack-targeting-** vietnam/ January 25, 2022 Recently, on the twitter of [Shadow Chaser Group, they tweet information about malware](https://twitter.com/ShadowChasing1) sample that targeting Vietnam. ----- _Sample info:_ **SHA-256:** [341dee709285286bc5ba94d14d1bce8a6416cb93a054bd183b501552a17ef314](https://www.virustotal.com/gui/file/341dee709285286bc5ba94d14d1bce8a6416cb93a054bd183b501552a17ef314/details) **ITW:** `Bien ban thong nhat ke hoach dao tao_VPB.Voffice.docx` **Submitted from VN:** `2022-01-24 02:52:14 UTC` ----- Cause this sample related to Vietnam, so I decided to taking time to perform a quick analysis of this malicious document. A quick check of this document shows that it uses the Template Injection technique. The advantage of this technique is that when the user open the file, it will automatically download the `fav.ico` file from the address ``` hxxp://office[.]oiqezet[.]com/portals/office/fav.ico . ``` ----- In addition, based on the ` tag information, it is possible to know that the` attacker created this document from `Office 2010 :` At the time of analysis, I could still download the `fav.ico` (MD5: 9521e4138fd0e6996072778cd4f1f06a) file: The downloaded `fav.ico file is not a PE file, it is an` `RTF file :` ----- Checking it with the `rtfobj tool, the results show that this RTF file has an embedded` object named `qax23.xp, with size: 167831 bytes, and has MD5 =` ‘ 935553d110e5ded158006d0679226641 ‘. [This technique reminds me some of samples that I’ve analyzed before: [1], [2], [3], [4].](https://blog.vincss.net/2021/05/re022-part1-quick-analysis-of-malicious-sample-forging-the-%20official-dispach-of-the-Central-Inspection-Committee.html) Thanks to [nao_sec for updating the](https://twitter.com/nao_sec) `rr_decoder tool to decode the encrypted object.` ----- After dumping the object and then use `rr_decoder, I got the Dll file with the original name` ``` Download.dll. ``` ----- Here is the result when I upload this Dll to tria.ge site: https://tria.ge/220124k8nknsdhf8/behavioral1 ----- As shown in the figure, the malware after executing will send encrypted data to the address ``` http://office[.]oiqezet[.]com/portals/office/log.php?, whereby the IP address ``` of remote address is from Vietnam. To be able to decode the above data, I quickly reversed code of the Dll file. The code of this Dll shows that it will collect and aggregate information about the victim’s computer, including: `Host Name, OS Name, OS Version, System type, Architecture,` ``` User Name, InternetInformation, Antivirus product . ``` ----- All collected information will be encrypted with the RC4 algorithm, with the encryption/decryption key is `"123abc", then this encrypted data will continue to be` encoded by the Base64 algorithm before being sent to C2 as picture above. ----- [Based on the analysis results, by using CyberChef, I can decrypt the encrypted data when](https://gchq.github.io/CyberChef) sent to C2 as follows: End. Regards, m4n0w4r -----