Macro Malware Adds Tricks, Uses MaxMind to Avoid Detection

By on Jun 21, 2016

Macro malware continues to evolve and use new tricks to evade detection. This threat is responsible for downloading malicious Trojans such as Dridex and ransomware such as Locky.

Recently McAfee Labs has encountered a new variant of macro malware that uses new techniques to avoid executing in an undesirable environment. With this variant when we click on a doc file, we see some junk content and a request to enable macros. If a user clicks Enable Content, macros will be enabled and will download malicious content. (By default protected view is enabled, preventing malicious macros from running unless users enable them.)


McAfee Labs has previously blogged about macro malware using high-obfuscation algorithms and several other layers of evasion to avoid detection. Previous variants have used fudging techniques such as virtual machine awareness, sandbox awareness, and others. At first glance, it is difficult to guess the intentions of this macro malware.


The malware hides all strings that can give a hint of its behavior. To this point, we have seen two types of string obfuscation. In the first type, two parameters are passed to get the following string. The first parameter of the function is an obfuscated string and the second parameter is a junk string that needs to be removed from the first.


The following Python script decrypts the content:


With the second type of string obfuscation, only one string is passed to the function:


The Python script to decrypt the string:


In addition to string obfuscations, the malware checks the number of recently opened or accessed files. The execution exits if the number is less than three. This is a simple technique to avoid analysis because security researchers often use a fresh copy of a virtual environment that has no recently used files. The VBA code:


The macros employ a legitimate site for their malicious purposes. The threat actors use the MaxMind service to gather IP-based location data. (MaxMind provides location data for IP addresses.) The VBA code:


ResponseText1 contains the location, IP address, organization name, and other information. The malware checks whether the following names are contained in ResponseText1.


If any of these names are present, the malware stops. It avoids executing in several antimalware and web hosting organizations, as well as in some cases in Russia and North America. After execution the malware downloads malware families such as Ursnif, which steals banking information.

McAfee advises all users to keep their antimalware products up to date. McAfee products detect this malware as W97M/Downloader.

Analyzed MD5 hashes:

  • fac4245a1a3f9e4f5f4c9b727133837b
  • e3f93401a1494112d242c80333703b0f

About the Author

Devendra Singh

Devendra Singh is a Research Scientist with McAfee Labs. He enjoys working on latest threats and figuring out ways to protect customers from them. His hobbies include playing cricket and reading books.

Read more posts from Devendra Singh

  1. Devendra! Thanks for the article.
    So this malware do not attack the anti malware and web hosting companies but how they enter into the computer systems? Through email or downloaded files from internet? Is this specifically designed for servers or general PC too?

    • Akash! Thanks for your comment,
      Above macro malware avoids execution if IP address belongs to any of the companies or locations contained in check list mentioned in blog.
      It enters computer systems through email and it is not specifically designed for servers, it works on general PCs too.

Subscribe to McAfee Securing Tomorrow Blogs