Microsoft Warns of Sneaky New Macro Trick

Microsoft warns of new technique to distribute macro malware that can evade standard virus detection, according to security experts.

Microsoft is warning of an innovative new technique attackers are using to sneak macro malware past virus detection engines and add to the already huge uptick in reported macro attacks.

According to researchers at Microsoft’s Malware Protection Center, they stumbled upon the macro technique in a file containing VBA project scripts with a sample of well-known malicious macro malware called TrojanDownloader:O97M/Donoff. It wasn’t the malware that piqued Microsoft’s interest, it was the attacker’s never-before-seen obfuscation technique.

It wasn’t immediately obvious that the macro file was actually malicious, wrote Marianne Mallen and Wei Li, both antivirus researchers at the Microsoft Malware Protection Center, who co-authored a blog post earlier this week on their discovery. “It [was] a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements),” wrote both authors.

The VBA user form contains three buttons. One of the buttons contained the encrypted URL.

The VBA user form contains three buttons. One of the buttons contained the encrypted URL.

The researchers said at first the VBA modules looked legit. “No malicious code found there … However, after further investigation we noticed a strange string in the Caption field for CommandButton3 in the user form,” the researchers wrote.

As it turned out the attackers were embedding the malware using a “sneaky new trick.” Upon further inspection, Microsoft said the attacker stored commands inside the name of a macro button. When the macro was executed it was directed to decrypt the data string used to name the macro button. Contained in the data string were commands to visit a specific URL where the malware could be downloaded onto the targeted computer from.

“The macro will connect to the URL (hxxp://<uniqueid>) to download a payload which we detect as Ransom:Win32/Locky,” Microsoft wrote.

“After the macro runs, it is instructed to find the button and extract the (button’s) name. Next, takestake that string (or the button’s name) and decrypt it. Then the URL downloads the executable,” commented Ryan Olson, researcher at Palo Alto in an interview with Threatpost. Olson said he has never seen this technique before, but there is nothing remarkable about the macro. “The Microsoft find is yet another iteration of a macro that uses a slightly different technique to evade detection.” He said the technique is slick, but par for the course in the whack-a-mole arms race to trick and detect macros.

According to Palo Alto, macro attacks are on the rise. This year Palo Alto reports 1.2 million instances of the Bartallex family of malware delivered via malicious macro documents. That’s up from last year with 100,000 instances of Bartallex family macro malware.

“We suspect that macro-based attacks are experiencing a resurgence from the late 1990s. There are a whole new pool of victims that don’t remember how dangerous macros were and are learning the hard way to never trust macros unless sent from a 100 percent reliable source,” Olson said.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.


  • L on

    Not very 'sneaky' considering the Dridex gang have been using this tactic for a while. The locky crew seem to be rehashing old dridex campaigns.
  • ScriptKill on

    They(MS) has pushed Office to the edge with VBA, allowing users to do too much there. Look at the bottom of the picture where it shows a partial "Visible" property. Similar to programming in Visual Studio, you can make malicious objects not visible, one object calling another. VBA was extended too far into the programmer's domain, crossing the line. How many end-users check the macro or VBA before using a document? It is a cheap trick, yet another reinforcement that meta-documents suck... and still the gullibility of email attachments. Employers should provide a second email system; one that doesn't escape the building or take in forwards from external accounts. Just an idea.
  • Mark on

    Whenever my past employer had issues receiving an email, because it had Macros enabled, I told them - block it. Never ever accept Macro enabled Office documents from global senders. If you want to share Macro-enabled Office documents within the Office, use a network shared folder. This eliminates one vector, of many, that enable malicious publishers into a network. Others will require more education on a user's part, namely to be wise enough to question each Website and email sent to them.
  • Scott on

    A number of organizations adding a layer of structural sanitization to their existing email and web gateways to remove just the macros and allow the rest of the email/attachment or web download to continue without disruption.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.