MS Word and Macros… Now With Social Engineering Malware

On December 11, one of our employees reported a phishing  email with PhishMe’s Reporter for Outlook that contained a particularly nasty Word document. The malicious payload included PowerShell, VBA, and batch code. Here’s a screenshot of the phishing email:

Figure 1 -- Phishing Email

Figure 1 — Screenshot of phishing email

Once opened, the document’s contents are blurred, and it asks recipients to enable macros in order to view the document.

Figure 2 -- Social Engineering

Figure 2 — Document requesting that user enable macros

Once enabled, the macro kicks off by executing a batch script via cmd.exe, which then executes visual basic script, which in turn triggers a PowerShell script. (Figure 3.)

Figure 3 -- Chain of execution

Figure 3 — Chain of execution for Word document

The batch file is responsible for pinging twice, changing the console code to the Cyrillic script (chcp 1251), and running the second file, adobeacd-update.vbs. (Figure 4.)

Figure 4 -- Batch file

Figure 4 — Batch file exectued by macro

Next, the VBS file runs a powershell script with the command seen in Figure 5.

Figure 5 -- VBS file

Figure 5 — VBS file executing PowerShell script

The powershell code is where the malware is finally downloaded. First, the file downloads “x.exe” from the domain highlighted, then saves it to the system as the filename “444.exe”.

Figure 6 -- Powershell

Figure 6 — Excerpt of PowerShell script

Next, the script grabs the path name of the above scripts, saves them to a variable, sleeps for 15 seconds, and runs “444.exe”.

Figure 7 -- Powershell excerpt

Figure 7 — PowerShell excerpt that executes “444.exe”

Once executed, the powershell script attempts to clean up by removing the other scripts used to execute it.

Figure 8 -- attempted cleanup

Figure 8 — Attempted cleanup for the malware

By looking in Wireshark, we can see the file being downloaded in Figure 9.

Figure 9 -- Malware being downloaded

Figure 9 — Malware being downloaded

While the malware is packed, we can find some interesting things about the malware by analyzing the memory. First, by grepping before and after “[tab”, we can see that this malware has key logging capabilities, will more than likely beacon out to “tdglomeme[d]eu”, attempt to POST to “/log/index.php”, and feed the information back containing the string “0USER0”. (Figure 10.)

Figure 10 -- memory

Figure 10 — Memory dump of data being collected

By looking at the pcap (Figure 11) and decoding the data (Figure 12) we can see that the data is presented exactly as seen in the pcap.

Figure 11

Figure 11 — Data from pcap

Figure 12 -- decoded data

Figure 12 — Decoded data from pcap

We can see that the malware is  capable of copying contents from the clipboard as well as logging keystrokes. This data is then POSTed back to the attackers domain.

For a Yara signature, the attackers included a “vbaProject.bin” file in the docx file. The following Yara rule can help to pick up variants that contain this:

rule PM_docx_with_vba_bin



$a1 = “PK”

$a2 = “word/_rels/vbaProject.bin”



$a1 at 0 and $a2


The word document has a very low detection rate (4/56) and can be found here:

20 Startups to Watch in 2015
Top 10 Phishing Attacks of 2014

Related Articles