Malicious MS Office files are spreading Gorloted malware

April 3, 2019

SonicWall CaptureLabs Threats Research Team identified a new wave of malicious Office files being distributed via phishing emails which are downloading malware belonging to Gorloted Family. We are observing MS-Excel, MS-Word and RTF files are used to spread the malware. VBA Macro code is used to download and execute the Golroted sample.

URL from where the malware is downloaded is stored in the file in an encrypted form which is decrypted by the macro. In MS-Word file, encrypted data is stored as ActiveDocument variable whereas in MS-Excel file, encrypted data stored in one of the Cells above 100 as shown below:

Fig-1: Encrypted data in a MS-Excel file

Malicious Document file has an embedded image and will appear  as shown below:

Fig-2: malicious MS-Word file

To evade detection and deceive userRTF file which carries one or more malicious MS-Excel files is also used to spread this malware. The RTF file will look as shown below:

Fig-3: RTF File

Some clean macro code has also been added to the malicious macro as shown below which could confuse a researcher.

Fig-4: Macro code


SonicWall Capture Labs provides protection against this threat via the following signatures:

  • GAV: MalOffice.G1 (Trojan)
  • GAV: MalOffice.G2 (Trojan)
  • GAV: MalOffice.G3 (Trojan)
  • GAV: MalOffice.G4 (Trojan)
  • GAV: MalOffice.G5 (Trojan)
  • GAV: MalOffice.G6 (Trojan)

This threat is detected pro-actively by Capture ATP w/RTDMI.

Indicators Of Compromise:

Presence of following hash:

  • 13b5c846b4ce31b735ce0372c7330013c8aa452bb0adf997c37717f45c349dd9
  • 1156c1ac3a8539c79f9dcdb0d19ae39d8fac1a6b542b0c416b25fbf996e234fc
  • 6978b5cdd6ff1ac103cda630e59a24adf667c9b1a7951928d56b7ed491e79bb4
  • 31133e3b2e9c7f39f50caf2d819ab13d534b6ab2f273b599753656b16c14ae28
  • 66362b4325aafbc039b0439a787571f876f48b5ca7a3b9034a4c8179674f5d55
  • ec0fc300ba7803b7f0da28d8b9a7d022848e3fe9f236550b17d2d1f34cd8a2cf
  • f22224c620b76d17c5c784945082c37a5669d8c6d2bd7fb7a6cd6e796ffc7051

Network traffic to following URLs:

  • http://stores.kay[removed]
  • http://pasta[removed]
  • https://treassur[removed]rg/quadrant/flames.exe
  • http://inves[removed]
  • http://joec[removed]
  • https://oga[removed]
  • https://dre[removed]co/bin/shit.exe