Macro-enabled documents for downloading Malware

Product / Version includes:

Applies to all products

Last updated: 2025/05/08

Solution ID: KA-0011087

Category: Remove a Malware / Virus

Summary

Macro is a set of commands that automates a software to perform a certain action. Threat actors took advantage of this and came up with Macro Malwares. This form of malware is known for being abusive of the VBA (Visual Basic for Application) programming in Microsoft Office macros to spread other forms of malware. These are often delivered through phishing emails, wherein the attacker lures the recipient to open the attached document. Once opened, security warning will show on the page and the document will instruct the recipient to “Enable Content”. After that, the macro will run and the recipient is affected.

What the malicious macro typically does upon enabling is that it executes a base64 PowerShell code which will download a file in %UserProfile% or in %Temp%. This downloaded file will run soon afterwards.

Infection Chain:

Behaviors:

Delivers other malware payloads
Uses macro
Steals computer data, computer name, system local, operating system (OS) version and running processes

Impact:

Compromised system security, with backdoor capabilities that can execute malicious commands

Sample Spam (Invoice Attachment)

Sample Document - "Enable Content"

MS Word

MS Excel

Sample Macro

MS Word

MS Excel

MITRE ATT&CK Matrix

BEHAVIOR	TACTIC	TECHNIQUE
Malware arrives as an attachment	Initial Access	T1566.001 Phishing: Spearphishing Attachment
Victim is lured into opening the attachment	Execution	T1204.002 User Execution: Malicious File
Downloaded document has obfuscated macros to hide URLs hosting the malware	Defense Evasion	T1027 Obfuscated Files or Information
Macro-enabled document will download and execute payload using powershell command	Execution	T1059.005 Command and Scripting Interpreter: Visual Basic T1059.001 Command and Scripting Interpreter: PowerShell

Available Solutions:

Solution Modules	Solution Available	Pattern Branch	Release Date	Detection/Policy/Rules
Email Protection	Yes	AS Pattern 5630	August 28, 2020	-
URL Protection	Yes	In the Cloud	-	-
Advanced Threat Scan Engine (ATSE)	Yes	16.191.00	August 28, 2020	-
Predictive Learning (TrendX)	Yes	In the Cloud	-	Downloader.VBA.TRX.XXVBAF01FF009
File detection (VSAPI)	Yes	ENT OPR 16.191.00	August 28, 2020	Trojan.W97M.EMOTET.TIOIBEKL Trojan.W97M.EMOTET.TIOIBEKN Trojan.W97M.ICEDID.AL Trojan.W97M.POWLOAD.EMI Trojan.W97M.POWLOAD.EMJ Trojan.W97M.POWLOAD.TIOIBEMH Trojan.W97M.POWLOAD.TIOIBEMN Trojan.W97M.TRICKBOT.OD Trojan.X97M.POWLOAD.USMANFOGEK Trojan.X97M.POWLOAD.USNA
Behavioral Monitoring (AEGIS)	Yes	TMTD OPR 2163	August 27, 2020	4560T

Additional Threat Information Reference:

Recommendations:

Always enable/use macro security function on Microsoft Word and Excel.
Be extremely cautious about enabling macros. If there is any doubt about the authenticity of an email urging you to download a Word or Excel document, forward the contents to a member of the IT staff.
If you continuously receive email attachments with macro from spam campaigns, you may utilize IMSVA’s macro scanning.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Macro-enabled documents for downloading Malware

Macro-enabled documents for downloading Malware

Product / Version includes:

Summary