Malicious MS Office files are spreading Gorloted malware


SonicWall CaptureLabs Threats Research Team identified a new wave of malicious Office files being distributed via phishing emails which are downloading malware belonging to Gorloted Family. We are observing MS-Excel, MS-Word and RTF files are used to spread the malware. VBA Macro code is used to download and execute the Golroted sample.

URL from where the malware is downloaded is stored in the file in an encrypted form which is decrypted by the macro. In MS-Word file, encrypted data is stored as ActiveDocument variable whereas in MS-Excel file, encrypted data stored in one of the Cells above 100 as shown below:

Fig-1: Encrypted data in a MS-Excel file

Malicious Document file has an embedded image and will appear  as shown below:

Fig-2: malicious MS-Word file

To evade detection and deceive userRTF file which carries one or more malicious MS-Excel files is also used to spread this malware. The RTF file will look as shown below:

Fig-3: RTF File

Some clean macro code has also been added to the malicious macro as shown below which could confuse a researcher.

Fig-4: Macro code


SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: MalOffice.G1 (Trojan)
  • GAV: MalOffice.G2 (Trojan)
  • GAV: MalOffice.G3 (Trojan)
  • GAV: MalOffice.G4 (Trojan)
  • GAV: MalOffice.G5 (Trojan)
  • GAV: MalOffice.G6 (Trojan)

This threat is detected pro-actively by Capture ATP w/RTDMI.

Indicators Of Compromise:

Presence of following hash:

  • 13b5c846b4ce31b735ce0372c7330013c8aa452bb0adf997c37717f45c349dd9
  • 1156c1ac3a8539c79f9dcdb0d19ae39d8fac1a6b542b0c416b25fbf996e234fc
  • 6978b5cdd6ff1ac103cda630e59a24adf667c9b1a7951928d56b7ed491e79bb4
  • 31133e3b2e9c7f39f50caf2d819ab13d534b6ab2f273b599753656b16c14ae28
  • 66362b4325aafbc039b0439a787571f876f48b5ca7a3b9034a4c8179674f5d55
  • ec0fc300ba7803b7f0da28d8b9a7d022848e3fe9f236550b17d2d1f34cd8a2cf
  • f22224c620b76d17c5c784945082c37a5669d8c6d2bd7fb7a6cd6e796ffc7051

Network traffic to following URLs:

  • http://stores.kay[removed]
  • http://pasta[removed]
  • https://treassur[removed]rg/quadrant/flames.exe
  • http://inves[removed]
  • http://joec[removed]
  • https://oga[removed]
  • https://dre[removed]co/bin/shit.exe
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.