{"id":42047,"date":"2015-03-18T11:51:29","date_gmt":"2015-03-18T18:51:29","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=42047"},"modified":"2025-08-15T09:15:02","modified_gmt":"2025-08-15T16:15:02","slug":"bartallex-renews-strain-of-macro-malware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/internet-security\/bartallex-renews-strain-of-macro-malware\/","title":{"rendered":"Bartallex Renews Strain of Macro Malware"},"content":{"rendered":"

In recent weeks, McAfee Labs has seen a rise in the W97MDownloader malware, which comes with a macro downloader embedded in doc files. One of the malware families that serves these embedded macros is Bartallex, whose appearances have increased significantly during this period. The following chart shows the recent trend for the family:<\/p>\n

\"11\"<\/a><\/p>\n

 <\/p>\n

Background<\/strong><\/h2>\n

This threat is a malicious macro\u00a0that comes into users’ systems through a spam email and a Microsoft Word file, which leads to downloading and running the malware on the victim\u2019s machine. Whenever a user tries to open\u00a0the malicious doc file, Word should show a security notification asking whether the user wants to enable macros. If enabled, this threat will execute.<\/p>\n

One difference in this variant of W97MDownloader is that it clears the contents in the Word document after the macro is enabled. It also generally downloads its payload in the %temp% folder.<\/p>\n

The spam email may look like this:<\/p>\n

\"2\"<\/a><\/p>\n

 <\/p>\n

Infection Chain<\/strong><\/h2>\n

 <\/p>\n

\"1\"<\/a><\/p>\n

This threat shows that attackers have not forgotten the classic exploitation technique of tricking users into enabling Office macros to execute malicious code.<\/p>\n

The infection chain starts with the spammed email. The email is carefully designed to lure users and seems legitimate. After executing, Bartallex drops a .bat file and a .vbs file onto the victim’s system. They download further malware.<\/p>\n

The following figure shows a .doc file with embedded macro posing as a fax:<\/p>\n

\"3\"<\/a><\/p>\n

 <\/p>\n

If email recipients open the document, they first see junk data with a request to enable the macro–in spite of the security warning to not trust its content. The doc file has a random\u00a0name, for example:<\/p>\n