Before you enable those macros…

The Microsoft Malware Protection Center (MMPC) has recently seen an increasing number of threats using macros to spread their malicious code. This technique uses spam emails and social engineering to infect a system.

Using macros in Microsoft Office can help increase productivity by automating some processes. However, malware authors have also exploited these capabilities. Since Microsoft set the default setting to "Disable all macros with notification", the number of macro-related malware threat has declined. More recently we have seen new threats emerging that include some form of social engineering to convince users to manually enable macros and allow the malicious code to run.

Two recent macro downloaders that we have seen spreading through spam email campaigns are TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir. These recent campaigns are one example of an increasing trend of macro malware targeting home users and enterprise customers. These threats predominantly target our customers in the US and UK.

Figure 1: Adnel and Tarbir encounters peaked mid-December, 2014

Figure 2: Regional distribution of Adnel and Tarbir encounters during December 2014

We have seen the spam emails spreading these threats use subject lines such as:

  • ACH Transaction Report
  • DOC-file for report is ready
  • Invoice as requested
  • Invoice - P97291
  • Order - Y24383
  • Payment Details
  • Remittance Advice from Engineering Solutions Ltd
  • Your Automated Clearing House Transaction Has Been Put On

Figure 3: Recent spam campaigns use usually money-related subject lines to entice users to open the malicious email attachment

Similar to other malware that spreads through malicious binary email attachments (for example, TrojanDownloader:Win32/Upatre), macro malware serve as an infection gateway. Once the gate is opened, in this case by opening the email attachment with macros enabled, whatever is on the other side of the gate (the malware), will enter and infect the system.

We have seen the email attachments in the Adnel and Tarbir campaigns using the attachment file names similar to those below:

  • 20140918_122519.doc
  • 813536MY.xls
  • ACH Transfer 0084.doc
  • Automated Clearing House transfer 4995.doc
  • BAC474047MZ.xls
  • BILLING DETAILS 4905.doc
  • CAR014 151239.doc
  • ID_2542Z.xls
  • Fuel bill.doc
  • ORDER DETAILS 9650.doc
  • Payment Advice 593016.doc
  • SHIP INVOICE 1677.doc

These names are again designed to look like legitimate payment files and use social engineering to convince recipients to open them. Upon opening the Microsoft Office file (in this case a Word document), a user will be prompted to enable macros. By default, the macros in Microsoft Office are set as "Disable all macros with notification". Until they are manually enabled, the malware code cannot run.

Imagine this blocking of untrusted macros is the lock on the gate, and the key to open the lock is user consent. A simple click enables the untrusted macro to run, which give the malware access to the system. This is where another social engineering trick comes in. The malware authors provide step-by-step instructions to trick the user to enable the untrusted macros by.

The following screenshot shows the contents of a spam email attachment spreading TrojanDownloader:O97M/Tarbir.

Figure 4: The malware masquerades itself as a Microsoft Office notification to mislead users into enabling macros

The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button. When they do, the macro executes and downloads its payload, which is to download other malware, including TrojanDownloader:Win32/Drixed.B.

To avoid further infection from these malware types, keep this in mind:

  • A file which contains a receipt or billing statement, most of the time does not need to have any macros in it.
  • Be cautious of unsigned macros and macros from an untrusted source. Macro malware are usually unsigned.
  • Some macro malware leave the document intentionally empty, relying on the user to think that they need to enable the macro so that they can see something. Beware of such tricks.

Microsoft security products, such as Microsoft Security Essentials, include detection for TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir. To help stay protected we recommend you keep your security software up-to date.

We also encourage people to join our Microsoft Active Protection Service Community (MAPS) and take advantage can take advantage of the Microsoft cloud protection service.

Alden Pornasdoro

Comments (11)

  1. TammyRSmith says:

    Stay smart when opening those emails!

  2. Steve Basford (Sanesecurity) says:

    They have been on the increase for a while now…

  3. adwbust says:

    That's why after macros is enabled, warn user if document tries to connect out. Check server/site contacted by macro using Smartscreen (on Windows 10 aside from IE, integrate Smartscreen to Windows filtering platform and UAC prompt for opening PE; Why
    also with UAC? Because not all files are downloaded on the web, not all use IE. Some are from usb drives; check against Smartscreen when they're ran.). Office is sandboxed right? Office should have sanboxed incoming folder for files downloaded (and ran) by
    macro. If user allows macro to connect out and download, warn/prompt user if macro runs a PE or script. For downloaded web pages, images, etc use a sanboxed viewer/browser. Put in Office prompt, that it is unusual for a document to download and run files.
    That would deter (scare) users.

    Does Windows keep a log to track process activity? Like for example, log when a file (usually PE, document and script) is first created (including source)/ran/modified, the result of execution (if it trips certain sensors), etc. That would make it easy to track
    and retrieve an offending file. Of course, user should be able to opt out. MAPS within Windows. 😀

  4. sandeep says:

    I have a IBM server x3400 m3.
    I am intall 8GB Ram but Operating System Usble only 3.99 GB RAM.


  5. Derek Knight (MVP Consumer Security) says:

    The default options and the ability to use "protected view" were only established in Office 2010 and later versions. A very high proportion of compromised users are using Office 2007 or even earlier. We realistically are not going to see users pay several
    hundred £££ or $$ to get a new version of office when their old one works perfectly well, with features they use every day and there is not so good default protection in those versions. I don't even remember macros being disabled by default in Office 2007

  6. Kevin Beaumont says:

    This has been going on since September, detection has been very poor in AV providers for months now on it.

    Palo Alto's Unit42 has blog posts about it extensively here: and here:

  7. Colleen Burke-Hill says:

    Just saw another one of these come around again. The text of the email and look of the document are quite convincing – it was an internship inquiry with a CV attached. An unsophisticated user – or just a busy manager – very well might unthinkingly follow
    the document's instructions and enable editing and content.

  8. Dotan says:

    Why not to use Disarm & Reconstruct at organisation to avoid the risk all together?

  9. Hansel says:

    When will we see VBA no longer supported/offered in Office products all together ?

    1. service says:

      It is rather naïve to ask for VBA no longer supported as virtually every company processing Office document data has VBA macros deployed not all of which may be replaceable by VSTO. So my guess and hope is that VBA stays around for many years to come. Rather than no longer supporting or putting a ban on VBA, security functions must be devised and deployed to save the user and secure the IT infrastructure. For instance developers should make more use of digital signatures backed by CAs with proper reputation. Inspections at firewall must be improved for companies as well as sandboxing of questionable documents at the user’s PC must be improved by means of file streams and the like which trigger proper warnings and instructions for the end user <- last call goes out to Microsoft who also has to retrofit current production versions of Office, that is include 2007.

  10. leon webster says:

    I received 2 meeting invitations in outlook with the second – which seemed to be a copy, suddenly deleting itself. My A/V alerted me to the presence of 2 word enabled templates in c:\users\userid\appdata\roaming\microsoft\templates. My AV only warns of these files it does not delete them. I have been trying to confirm they are legitimate Outlook components. they are Normal and NormalEmail. Any advice is appreciated.

Skip to main content