{"id":6318,"date":"2017-01-23T15:50:20","date_gmt":"2017-01-23T23:50:20","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-156\/"},"modified":"2017-01-23T15:50:20","modified_gmt":"2017-01-23T23:50:20","slug":"news-156","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/01\/23\/news-156\/","title":{"rendered":"Malicious macro using a sneaky new trick"},"content":{"rendered":"<p>We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=TrojanDownloader:O97M\/Donoff\">TrojanDownloader:O97M\/Donoff<\/a> \u2013 a large family of Office-targeting macro-based malware that has been active for several years (see our <a title=\"MMPC blogs about macro-based malware\" href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/category\/macro-malware\/\" target=\"_blank\">blog category on macro-based malware<\/a> for more blogs).<\/p>\n<p>However, there wasn\u2019t an immediate, obvious identification that this file was actually malicious. It\u2019s a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the <strong>CommandButton<\/strong> elements).<\/p>\n<p><div id=\"attachment_7065\" style=\"width: 634px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/macro-form.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-7065 size-full\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/macro-form.jpg\" alt=\"Screenshot of VBA script editor showing the user form and list of modules\" width=\"624\" height=\"496\" \/><\/a><\/p>\n<p class=\"wp-caption-text\"><em>The VBA user form contains three buttons<\/em><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<p>The VBA modules look like legitimate SQL programs powered with a macro; no malicious code found there &#8230; However, after further investigation we noticed a strange string in the <strong>Caption<\/strong> field for <strong>CommandButton3<\/strong> in the user form.<\/p>\n<p>It appeared to be some sort of encrypted string.<\/p>\n<p>We went back and reviewed the other modules in the file, and sure enough \u2013 there\u2019s something unusual going on in <strong>Module2<\/strong>. A macro there (<em>UsariosConectados<\/em>)\u00a0decrypts the string in the <strong>Caption<\/strong> field for <strong>CommandButton3<\/strong>, which turns out to be a URL. It uses the deault <em>autoopen()<\/em> macro to run the entire VBA project when the document is opened.<\/p>\n<p><div id=\"attachment_7055\" style=\"width: 634px\" class=\"wp-caption aligncenter\"><a href=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/macro2.png\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-7055 size-full\" src=\"https:\/\/msdnshared.blob.core.windows.net\/media\/2016\/05\/macro2.jpg\" alt=\"Screenshot of the VBA macro script in Module2 that decrypts the Caption string\" width=\"624\" height=\"469\" \/><\/a><\/p>\n<p class=\"wp-caption-text\"><em>The macro script in Module2 decrypts the string in the Caption field<\/em><\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<p>The macro will connect to the\u00a0URL (<em>hxxp:\/\/clickcomunicacion.es\/&lt;uniqueid&gt;<\/em>) to download a payload which we detect as <a href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:Win32\/Locky\">Ransom:Win32\/Locky<\/a> (SHA1: b91daa9b78720acb2f008048f5844d8f1649a5c4).<\/p>\n<p>The VBA project (and, therefore, the macro) will automatically run if the user enables macros when opening the file &#8211; our strongest suggestion for the prevention of Office-targeting macro-based malware is to only enable macros if you wrote the macro yourself, or completely trust and know the person who wrote it.<\/p>\n<p>See our <a title=\"MMPC July threat report - Macros\" href=\"https:\/\/www.microsoft.com\/security\/portal\/enterprise\/threatreports_july_2015.aspx\" target=\"_blank\">threat intelligence report on macros<\/a> and our <a title=\"MMPC page about macro-based malware\" href=\"https:\/\/www.microsoft.com\/security\/portal\/threat\/macromalware.aspx\" target=\"_blank\">macro-based malware page<\/a> for further\u00a0guidance on preventing and recovering from these types of attacks.<\/p>\n<p>-Marianne Mallen and Wei Li<br \/> MMPC<\/p>\n<p><a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2016\/05\/17\/malicious-macro-using-a-sneaky-new-trick\/\" target=\"bwo\" >https:\/\/blogs.technet.microsoft.com\/mmpc\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We recently came across a file (ORDER-549-6303896-2172940.docm, SHA1: 952d788f0759835553708dbe323fd08b5a33ec66) containing a VBA project that scripts a malicious macro (SHA1: 73c4c3869304a10ec598a50791b7de1e7da58f36). We added it under the detection TrojanDownloader:O97M\/Donoff \u2013 a large family of Office-targeting macro-based malware that has been active for several years (see our blog category on macro-based malware for more blogs). However, there wasn\u2019t&#8230;<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10759,10378],"tags":[10807,10760,10879,10868,10795,10515,10806,3764,10803,3245,3765,10510,10880,10881,10761,10762,10882],"class_list":["post-6318","post","type-post","status-publish","format-standard","hentry","category-microsoft","category-security","tag-antimalware","tag-antimalware-research-for-it-pros-and-enthusiasts","tag-donoff","tag-guidance","tag-locky","tag-macro","tag-macro-based-malware","tag-malware","tag-malware-research","tag-office","tag-ransomware","tag-social-engineering","tag-vba","tag-vbascript","tag-windows-10","tag-windows-defender","tag-word"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6318","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6318"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6318\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6318"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6318"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6318"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}