Connect with us

Hi, what are you looking for?


Malware & Threats

Office Loader Uses Macros to Drop Array of Malware

A recently discovered Microsoft Office loader uses malicious macros to drop multiple malware families, Palo Alto Networks security researchers warn.

A recently discovered Microsoft Office loader uses malicious macros to drop multiple malware families, Palo Alto Networks security researchers warn.

More than 650 unique samples of this loader have been observed since initial detection in early December 2016, accounting for 12,000 malicious sessions targeting numerous industries. The loader, researchers say, is being delivered via email and employs heavily obfuscated malicious macros and a user account control (UAC) bypass technique to compromise targeted systems.

The roughly 12,000 phishing email runs distributing the loader used a variety of subject lines, claiming to be purchase orders, requests for quotation, purchase enquiries, and email verification notifications, among others. The attached malicious documents were masquerading as invoices, product lists, deposit slips, or document scans, and more.

High Tech, Professional and Legal Services, and Government were some of the most affected industries, Palo Alto Networks says. However, the distribution campaigns leveraging this loader have been targeting other sectors as well, including Wholesale, Telecoms, and Services.

Some of the malware families dropped using this loader included LuminosityLink, KeyBase, PredatorPain, Ancalog, Bartalex, Pony, and DarkComet.

“Based on the large amount of commodity malware families being dropped, as well as the wide distribution seen, this loader appears to primarily be used for widespread campaigns,” the security researchers say.

The loader uses malicious macros that have been obfuscated using a large amount of garbage code and randomly chosen variables, which led researchers to believe that a builder was used to generate them. The second part of the malicious macro, researchers say, includes not only garbage code, but also obfuscated strings and a number of strings written to the Word document and which are in-line with the ploy used by the attacker, based on the subject line and filename.

The first half of the macro, on the other hand, includes a function to decode the obfuscated strings, after which they are called with a PowerShell command. To decode the strings, the macro simply removes characters present within a blacklist string. However, researchers say that only about half of the samples contained decoy information.

Advertisement. Scroll to continue reading.

One of the decoded functions was meant to download a payload via PowerShell and then drop it within the %TEMP% directory. The macro would also create a registry key to point to the dropped file, while also abusing Windows Event Viewer to bypass UAC and elevate its privileges. The dropped file is then removed.

The UAC bypass was first detailed in August 2016, and was recently used in various campaigns, including some focused on the distribution of ransomware.

A small set of samples used the built-in BITSAdmin tool instead of PowerShell to download the malware. The technique was associated with 11 samples that were spotted in early December, when the loader first appeared. However, the attackers switched to PowerShell.

“Overall, this new loader is interesting in its use of performing a UAC bypass. Additionally, the widespread use of this loader since December of last year shows that it is being used in numerous campaigns. It is unclear if this loader is being used by one or more groups. Multiple industries have been targeted by this loader, which has been used to deploy multiple malware families,” Palo Alto researchers conclude.

Related: Macro Malware Comes to macOS

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.