Social engineering tricks open the door to macro-malware attacks – how can we close it?

The macro malware-laden documents that target email users through email spam are intentionally crafted to pique any person’s curiosity.  With subjects that include sales invoices, federal tax payments, courier notifications, resumes, and donation confirmations, users can be easily tricked to read the email and open the attachment without thinking twice.

The user opens the document, enables the macro, thinking that the document needs it to function properly – unknowingly enabling the macro malware to run.

Just when you think macro malware is a thing of the past, over the past few months, we have seen an increasing macro downloader trend that affects nearly 501,240 unique machines worldwide.

Increasing trend of macro downloaders from April 2014 to 2015

Figure 1: Increasing trend of macro downloaders from April 2014 to 2015

We have seen majority of the macro-malware attacks in the United States and United Kingdom.

Macro downloaders’ prevalence in affected countries

Figure 2: Macro downloaders’ prevalence in affected countries


Macro malware distribution heat map

Figure 3: Macro malware distribution heat map

Macro malware infection chain

As stated in the previous macro blog, macro downloaders serve as the gateway for other nasty malware to get in. The following diagram shows how a typical macro downloader gets into the system and deliver its payload.

Macro downloader infection chain

Figure 4: Macro downloader infection chain

The macro malware gets into your PC as a spam email attachment. The spam email recipient then falls for a social engineering technique, opens the attachment, thereby enabling the macro inside the document.

We have identified some of these macro downloader threats, but not limited to:

When a malicious macro code runs, it either downloads its final payload, or it downloads another payload courier in the form of a binary downloader.

We have observed the following final payload, but is not limited to:

We have also observed the following binary downloaders to be related to these macros, but not limited to:

After the macro malware is downloaded, the job is pretty much done. The torch is passed to either the final payload or the binary downloader.

We have observed the following threats being downloaded by the binary downloaders, but not limited to:


Prevention: How do you close that door?

If you know that social engineering tricks through spam emails open the door to macro malware attacks, what can you do to help protect your enterprise software security infrastructure in closing that door?

Be careful on enabling macros

Macro threats, as payload couriers, seem to gain popularity as an effective infection vector. But unlike exploit kits, these macro threats require user consent to run. To avoid running into trouble because of these macro threats, see Before you enable those macros, for details on prevention.

You can also read more about the macro configuration options to understand the scenarios when you can enable or disable them. See Microsoft Project – how to control Macro Settings using registry keys for details.

Aside from that, be aware of the dangers in opening suspicious emails. That includes not opening email attachments or links from untrusted sources.

If you are an enterprise software security administrator, what can you do?

Most, if not all of the macro malware received are in .doc file format (D0 CF) which are seen in Microsoft Office 2007 and older versions.

If you are in charge of looking after your enterprise software security infrastructure, you can:

  • Update your Microsoft security software. Microsoft detects this threat and encourages everyone to always run on the latest software version for protection.
  • Ensure that your Trust Center settings are configured not to load older Office versions:
    1. Go to Word Options, and select Trust Center. Click Trust Center Settings.
      Trust Center settings
    2. In the Trust Center dialog box, select File Block Settings. Then, select the Word versions that you need to block.

Trust Center file block settings

Doing so blocks older Office versions from opening.

You can check if MAPS feature is enabled in your Microsoft security product by selecting the Settings tab and then MAPS.
System Center Endpoint Protection MAPS settings


Comments (7)

  1. Alfred E Neumann says:

    As usual, AppLocker resp. SAFER/Software Restrcition Policies are once again NOT mentioned: apparently M$FT's "security" people dont know their own operations system!
    Yes. they want stop the initial macro, but they DO stop the REAL threat: its the second stage that harms.


    How do you setup SRPs or AppLocker to stop these threats? AppLocker doesn't control VBA code. Do SRPs do VBA code?

  3. Alfred E. Neumann says:

    @ERROR_OUT_OF_MEMORY: read the second sentence!

  4. adwbust says:

    just simply intercept the macro get request with download prompt (checked by smartscreen file and url reputation service) and block script or executable type/extensions download or run by macro/office file (add behavior rule to mse). better yet, remove
    or disable MS office macro in a windows update.

  5. Frank Zervos says:

    I would like to See Whae feed are Avalable again…. Please

  6. roberta says:

    Hola quisiera consultar me han enviado un correo electronico supuestamente por microsoft windows solicitando mis datos personales para participar por un sorteo donde ganaria 250.000 euros me parece extraño el hecho que soliciten mis datos personales alguien
    me puede ayudar a confirmar si es un correo real gracias

  7. dmv says:

    Hola, Roberta! Microsoft nunca enviaremos acerca de lotería. Parece que tienes un correo de una persona que haciéndose pasar por Microsoft. No proporcionar sus datos personales.