{"id":49051,"date":"2016-04-26T12:09:48","date_gmt":"2016-04-26T19:09:48","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=49051"},"modified":"2025-06-02T19:17:18","modified_gmt":"2025-06-03T02:17:18","slug":"macro-malware-employs-advanced-obfuscation-to-avoid-detection","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/","title":{"rendered":"Macro Malware Employs Advanced Obfuscation to Avoid Detection"},"content":{"rendered":"<p>Attacks by macro malware carrying ransomware are\u00a0growing, as we have recently reported on Blog Central <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/w97m-downloader-serving-vawtrak\/\">here <\/a>and <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/teslacrypt-arrives-via-neutrino-exploit-kit\/\">here.<\/a>\u00a0Now McAfee Labs researchers have witnessed a new variant of macro malware that employs fudging techniques such as\u00a0virtual machine awareness, sandbox awareness, and more.<\/p>\n<p>Since early March we have seen macro malware using high-obfuscation algorithms to protect itself from static and traditional antimalware\u00a0detection techniques. These\u00a0algorithms do not change frequently; we noticed updates only over a period of one month. This slow evolution suggests that the actors are able to sustain their binaries with few changes. So far we have seen three obfuscating algorithms deployed in such malware. The version we noticed in mid-April was quite interesting; here is our analysis.<\/p>\n<p>This new variant of macro malware not only has high-level obfuscation techniques but also several layers of evasion. In addition to\u00a0obfuscation, the functions are scattered across the macros. I have converted the obfuscation algorithm to an equivalent Python and the scripts used for evasion techniques into VBA scripts for easy understanding.<\/p>\n<p>The following are obfuscated strings passed to the function:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-49052\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Obfuscated_String.png\" alt=\"Obfuscated_String\" width=\"668\" height=\"18\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Obfuscated_String.png 668w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Obfuscated_String-300x8.png 300w\" sizes=\"auto, (max-width: 668px) 100vw, 668px\" \/><\/p>\n<h2>This equivalent Python script deobfuscates the string:<strong><br \/>\n<\/strong><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-49054\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Python.png\" alt=\"Python\" width=\"429\" height=\"192\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Python.png 429w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Python-300x134.png 300w\" sizes=\"auto, (max-width: 429px) 100vw, 429px\" \/><\/p>\n<p>The malware posts a fake Microsoft Office 2016 screen upon execution to lure victims into enabling the macro content:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-49055\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/microsoft.png\" alt=\"microsoft\" width=\"310\" height=\"202\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/microsoft.png 310w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/microsoft-300x195.png 300w\" sizes=\"auto, (max-width: 310px) 100vw, 310px\" \/><\/p>\n<p>Our analysis revealed the possibility of an known actor group having created this\u00a0malware, which is similar to the\u00a0earlier version &#8220;Donoff.&#8221; That version posed a similar message to the one we see below. This similarity suggests that the new variant could also be from the same group.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-49230\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/warning.png\" alt=\"warning\" width=\"590\" height=\"328\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/warning.png 590w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/warning-300x167.png 300w\" sizes=\"auto, (max-width: 590px) 100vw, 590px\" \/><\/p>\n<p>The following flow chart shows the sequence of evasion checks performed in the code:<a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/attachment\/20160420-visio-drawing-2\/\" rel=\"attachment wp-att-49249\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-49249\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/20160420-Visio-Drawing-2.png\" alt=\"20160420 Visio Drawing 2\" width=\"1132\" height=\"1316\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160420-Visio-Drawing-2.png 1132w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160420-Visio-Drawing-2-258x300.png 258w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160420-Visio-Drawing-2-768x893.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/20160420-Visio-Drawing-2-881x1024.png 881w\" sizes=\"auto, (max-width: 1132px) 100vw, 1132px\" \/><\/a><\/p>\n<h2><strong>Layer 1: Evading honeypots<\/strong><\/h2>\n<p>We found the following code in the macro that checks the username and the hostname. If the username is \u201cUSER\u201d and the hostname is \u201cHOST,\u201d the code will not execute. It is well known that most honeypots are named User and Host to attract zero-day malware. The actors have taken this step to escape common zero-day traps.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-49057\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/user.png\" alt=\"user\" width=\"447\" height=\"191\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/user.png 447w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/user-300x128.png 300w\" sizes=\"auto, (max-width: 447px) 100vw, 447px\" \/><\/p>\n<h2><strong>Layer 2: Virtualization awareness and anti-emulation\u00a0<\/strong><\/h2>\n<p>To avoid analysis by security researchers, the actors next try to avoid executing their code in a virtual environment. The following code snippet shows this check in the malware.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-49059\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/vmware-1.png\" alt=\"vmware\" width=\"738\" height=\"329\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/vmware-1.png 738w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/vmware-1-300x134.png 300w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/p>\n<h2><strong>Layer 3: Evading perimeter devices and dynamic tools<\/strong><\/h2>\n<p>Because these macro-based downloaders predominantly propagate through spam and phishing emails, the actors have taken the effort to infiltrate perimeter devices such as email scanners and gateway products such as intrusion detection and prevention. The following piece of code in the macro checks for the presence of frameworks and devices like Snort, Suricata, Wireshark, and others.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-49060\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/fiddler.png\" alt=\"fiddler\" width=\"549\" height=\"271\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/fiddler.png 549w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/fiddler-300x148.png 300w\" sizes=\"auto, (max-width: 549px) 100vw, 549px\" \/><\/p>\n<h2><strong>Compromised website serves payload<\/strong><\/h2>\n<p>These actors have compromised a legitimate website to deploy their payload. This (masked) legitimate website hosts the payload:<\/p>\n<p>http:\/\/soc[xxxxx]it.com\/system\/logs\/office.exe<\/p>\n<p>During our analysis, this hardcoded link served the following file, which indicated that the attackers were still preparing the environment and had not yet uploaded a malicious payload. (McAfee has contacted the site owner.)<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-49061\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/malware.png\" alt=\"malware\" width=\"251\" height=\"194\" \/><\/p>\n<p>We found one eccentricity in this malware: The actors had put in a condition to execute the malware from specific folder path even if any of the preceding evasion checks returned a true value. If the malware executes from the \u201c&lt;random_number&gt;_&lt;country name&gt;\u201d folder, it will continue even in the presence of a virtual machine with dynamic tools. The code shown in the image below checks for \u201c&lt;random_number&gt;_australia\u201d in the execution path of the malware. So far we have seen Australia and the United States in the exclusion list.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-49062\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/4-4.png\" alt=\"4\" width=\"528\" height=\"16\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4-4.png 528w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4-4-300x9.png 300w\" sizes=\"auto, (max-width: 528px) 100vw, 528px\" \/><\/p>\n<p>Our analysis in this case indicates that actors with varying proficiency continue to make security efforts difficult for antimalware\u00a0products. McAfee DATs already cover this and similar\u00a0malware.<\/p>\n<p>Sample MD5s:<\/p>\n<ul>\n<li>d80c15fd4ee1b10512d81bde32daaf30<\/li>\n<li>c1787d80ad7beb46646d5c20cdd7eff2<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Attacks by macro malware carrying ransomware are\u00a0growing, as we have recently reported on Blog Central here and here.\u00a0Now McAfee Labs&#8230;<\/p>\n","protected":false},"author":815,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180],"coauthors":[4610],"class_list":["post-49051","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Macro Malware Employs Advanced Obfuscation to Avoid Detection | McAfee Blog<\/title>\n<meta name=\"description\" content=\"Attacks by macro malware carrying ransomware are\u00a0growing, as we have recently reported on Blog Central here and here.\u00a0Now McAfee Labs researchers have\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Macro Malware Employs Advanced Obfuscation to Avoid Detection | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"Attacks by macro malware carrying ransomware are\u00a0growing, as we have recently reported on Blog Central here and here.\u00a0Now McAfee Labs researchers have\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/devendrasingh.gurjar.94\" \/>\n<meta property=\"article:published_time\" content=\"2016-04-26T19:09:48+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-03T02:17:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Obfuscated_String.png\" \/>\n\t<meta property=\"og:image:width\" content=\"668\" \/>\n\t<meta property=\"og:image:height\" content=\"18\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Devendra Singh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Devendra Singh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/\"},\"author\":{\"name\":\"Devendra Singh\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f2496c4191cf2bc7639b5c041cf478a\"},\"headline\":\"Macro Malware Employs Advanced Obfuscation to Avoid Detection\",\"datePublished\":\"2016-04-26T19:09:48+00:00\",\"dateModified\":\"2025-06-03T02:17:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/\"},\"wordCount\":646,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Obfuscated_String.png\",\"keywords\":[\"computer security\",\"cybercrime\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/\",\"name\":\"Macro Malware Employs Advanced Obfuscation to Avoid Detection | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Obfuscated_String.png\",\"datePublished\":\"2016-04-26T19:09:48+00:00\",\"dateModified\":\"2025-06-03T02:17:18+00:00\",\"description\":\"Attacks by macro malware carrying ransomware are\u00a0growing, as we have recently reported on Blog Central here and here.\u00a0Now McAfee Labs researchers have\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Obfuscated_String.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Obfuscated_String.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Macro Malware Employs Advanced Obfuscation to Avoid Detection\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f2496c4191cf2bc7639b5c041cf478a\",\"name\":\"Devendra Singh\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/cbf81975ab1078233e5ac0b815db2b78\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/613956760625882b51f3a0ce25b39a27?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/613956760625882b51f3a0ce25b39a27?s=96&d=mm&r=g\",\"caption\":\"Devendra Singh\"},\"description\":\"Devendra Singh is a Research Scientist with McAfee Labs. He enjoys working on latest threats and figuring out ways to protect customers from them. His hobbies include playing cricket and reading books.\",\"sameAs\":[\"https:\/\/www.facebook.com\/devendrasingh.gurjar.94\",\"https:\/\/www.linkedin.com\/in\/devendra-singh-82324655\/\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/devendra-singh\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Macro Malware Employs Advanced Obfuscation to Avoid Detection | McAfee Blog","description":"Attacks by macro malware carrying ransomware are\u00a0growing, as we have recently reported on Blog Central here and here.\u00a0Now McAfee Labs researchers have","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Macro Malware Employs Advanced Obfuscation to Avoid Detection | McAfee Blog","og_description":"Attacks by macro malware carrying ransomware are\u00a0growing, as we have recently reported on Blog Central here and here.\u00a0Now McAfee Labs researchers have","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/devendrasingh.gurjar.94","article_published_time":"2016-04-26T19:09:48+00:00","article_modified_time":"2025-06-03T02:17:18+00:00","og_image":[{"width":668,"height":18,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/Obfuscated_String.png","type":"image\/png"}],"author":"Devendra Singh","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Devendra Singh","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/"},"author":{"name":"Devendra Singh","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f2496c4191cf2bc7639b5c041cf478a"},"headline":"Macro Malware Employs Advanced Obfuscation to Avoid Detection","datePublished":"2016-04-26T19:09:48+00:00","dateModified":"2025-06-03T02:17:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/"},"wordCount":646,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Obfuscated_String.png","keywords":["computer security","cybercrime","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/","name":"Macro Malware Employs Advanced Obfuscation to Avoid Detection | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Obfuscated_String.png","datePublished":"2016-04-26T19:09:48+00:00","dateModified":"2025-06-03T02:17:18+00:00","description":"Attacks by macro malware carrying ransomware are\u00a0growing, as we have recently reported on Blog Central here and here.\u00a0Now McAfee Labs researchers have","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Obfuscated_String.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Obfuscated_String.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-obfuscation-to-avoid-detection\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Macro Malware Employs Advanced Obfuscation to Avoid Detection"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/8f2496c4191cf2bc7639b5c041cf478a","name":"Devendra Singh","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/cbf81975ab1078233e5ac0b815db2b78","url":"https:\/\/secure.gravatar.com\/avatar\/613956760625882b51f3a0ce25b39a27?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/613956760625882b51f3a0ce25b39a27?s=96&d=mm&r=g","caption":"Devendra Singh"},"description":"Devendra Singh is a Research Scientist with McAfee Labs. He enjoys working on latest threats and figuring out ways to protect customers from them. His hobbies include playing cricket and reading books.","sameAs":["https:\/\/www.facebook.com\/devendrasingh.gurjar.94","https:\/\/www.linkedin.com\/in\/devendra-singh-82324655\/"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/devendra-singh\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/49051","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/815"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=49051"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/49051\/revisions"}],"predecessor-version":[{"id":214927,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/49051\/revisions\/214927"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=49051"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=49051"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=49051"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=49051"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}