{"id":52880,"date":"2016-09-29T10:00:12","date_gmt":"2016-09-29T17:00:12","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=52880"},"modified":"2025-06-02T19:18:30","modified_gmt":"2025-06-03T02:18:30","slug":"macro-malware-employs-advanced-sandbox-evasion-techniques","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/","title":{"rendered":"Macro Malware Employs Advanced Sandbox-Evasion Techniques"},"content":{"rendered":"<p>During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see the\u00a0message \u201cThis document is protected against unauthorized use. Enable Editing and Enable Content to read content\u201d along with a request to enable macros. If a user clicks Enable Content, macros will be enabled and will download malicious content. (By default, Microsoft Windows enables protected view, preventing malicious macros from running unless users enable them.)<\/p>\n<p>Since early March we have seen macro malware using high-obfuscation algorithms to protect itself from static and traditional antimalware detection techniques. Macro malware continues to evolve and use new tricks to evade detection.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-52881\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-8.png\" alt=\"1\" width=\"874\" height=\"413\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-8.png 874w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-8-300x142.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-8-768x363.png 768w\" sizes=\"auto, (max-width: 874px) 100vw, 874px\" \/><\/p>\n<p>At first glance, it is difficult to guess the intentions of this macro malware. We further deobfuscated the code and found more readable strings. The obfuscated macro looks like this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-52882\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2-6.png\" alt=\"2\" width=\"789\" height=\"483\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2-6.png 789w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2-6-300x184.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2-6-768x470.png 768w\" sizes=\"auto, (max-width: 789px) 100vw, 789px\" \/><\/p>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/macro-malware-adds-tricks-uses-maxmind-to-avoid-detection\/\">In a\u00a0previous blog,<\/a>\u00a0we described how the macro in the document file used the MaxMind service to gather IP-based location data. Previous variants have used fudging techniques such as virtual machine awareness, sandbox awareness, and others. We observed several new checks last week.<\/p>\n<h2><strong>Use of painted event<\/strong><\/h2>\n<p>The first major change is that the new variant no longer uses the AutoOpen() or DocumentOpen() function to automatically execute the macro. Instead this\u00a0variant uses a painted event. This fudging technique bypasses some scanners that expect a\u00a0payload to be executed with AutoOpen().<\/p>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-52883\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/3-5.png\" alt=\"3\" width=\"801\" height=\"39\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/3-5.png 801w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/3-5-300x15.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/3-5-768x37.png 768w\" sizes=\"auto, (max-width: 801px) 100vw, 801px\" \/><\/h2>\n<h2><strong>Checking the filename<\/strong><\/h2>\n<p>Another change is checking the filename. This move is both simple and smart. In most of cases, files submitted to sandboxes contain only hexadecimal characters using SHA256 or MD5 hashes as the filename. If a filename contains only hexadecimal characters, it will not infect the victim\u2019s machine further. In the following code snippet, the malware\u00a0verifies the filename \u201cTestMacro\u201d for hexadecimal characters.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-52884\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/4-7.png\" alt=\"4\" width=\"671\" height=\"92\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4-7.png 671w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4-7-300x41.png 300w\" sizes=\"auto, (max-width: 671px) 100vw, 671px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-52885\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/5-9.png\" alt=\"5\" width=\"657\" height=\"66\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/5-9.png 657w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/5-9-300x30.png 300w\" sizes=\"auto, (max-width: 657px) 100vw, 657px\" \/><\/p>\n<h2><\/h2>\n<h2><strong>Number of running processes<\/strong><\/h2>\n<p>The malware also checks for the number of running processes. If count is smaller\u00a0than 50, then the malware terminates. This is a simple technique to avoid analysis because security researchers often use a fresh copy of a virtual environment with fewer than 50 running processes. The code snippet:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-52886\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/6-7.png\" alt=\"6\" width=\"505\" height=\"204\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/6-7.png 505w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/6-7-300x121.png 300w\" sizes=\"auto, (max-width: 505px) 100vw, 505px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Blacklist of processes<\/strong><\/h2>\n<p>Because these macro-based downloaders predominantly propagate through spam and phishing emails, the actors have made\u00a0the effort to infiltrate perimeter devices such as email scanners and gateway products. The malware checks for the presence of processes that\u00a0may be found running in a sandboxed environment. The checklist is expanded in new variant:<\/p>\n<h2><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-52887\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/7-5.png\" alt=\"7\" width=\"1335\" height=\"43\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/7-5.png 1335w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/7-5-300x10.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/7-5-768x25.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/7-5-1024x33.png 1024w\" sizes=\"auto, (max-width: 1335px) 100vw, 1335px\" \/><\/h2>\n<h2><strong>Blacklist of networks<\/strong><\/h2>\n<p><a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/macro-malware-adds-tricks-uses-maxmind-to-avoid-detection\/\">We also blogged<\/a> about how threat actors use the MaxMind service to gather IP-based location data. This variant checks the region Oceania. It has also expanded the list of strings it checks using MaxMind. The list of strings are highly obfuscated and tough to understand. The obfuscated strings looks like the following snippet:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-52888\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/8-4.png\" alt=\"8\" width=\"899\" height=\"260\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/8-4.png 899w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/8-4-300x87.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/8-4-768x222.png 768w\" sizes=\"auto, (max-width: 899px) 100vw, 899px\" \/><\/p>\n<p>The obfuscation algorithm changes frequently. For this variant we deobfuscated the content using a small Python script.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-52889\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/9-4.png\" alt=\"9\" width=\"821\" height=\"275\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/9-4.png 821w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/9-4-300x100.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/9-4-768x257.png 768w\" sizes=\"auto, (max-width: 821px) 100vw, 821px\" \/><\/p>\n<p>The malware checks for the network provider&#8217;s name on the victim\u2019s machine. The machine will not be affected by this malware if it verifies that the document file is opened on any of these listed vendors&#8217; networks:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-52890\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/10-4.png\" alt=\"10\" width=\"1001\" height=\"143\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/10-4.png 1001w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/10-4-300x43.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/10-4-768x110.png 768w\" sizes=\"auto, (max-width: 1001px) 100vw, 1001px\" \/><\/p>\n<p>Malware authors continue to advance their sandbox-evasion techniques and make security efforts difficult for antimalware products.<\/p>\n<p>McAfee advises all users to keep their antimalware products up to date. McAfee products detect this malware as W97M\/Downloader.<\/p>\n<h2><strong>Sample MD5s<\/strong><\/h2>\n<ul>\n<li>05ef99749dec84ffd670ffcfba457c68<\/li>\n<li>2a03a7172b3fe4a8e50eb337643f8a55<\/li>\n<li>317b3f381b8feeb84b7318b1c1bf0970<\/li>\n<li>531364f5afadcadd83aef3158c100c98<\/li>\n<li>535aba8b1a5f0585d2878fd39c8b05d2<\/li>\n<li>73267a21adcf9b587cb44bf54d496b6c<\/li>\n<\/ul>\n<h2><strong>References<\/strong><\/h2>\n<p>https:\/\/www.proofpoint.com\/us\/threat-insight\/post\/ursnif-banking-trojan-campaign-sandbox-evasion-techniques<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when&#8230;<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,4452,338,180],"coauthors":[3973],"class_list":["post-52880","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybersecurity","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Macro Malware Employs Advanced Sandbox-Evasion Techniques | McAfee Blog<\/title>\n<meta name=\"description\" content=\"During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Macro Malware Employs Advanced Sandbox-Evasion Techniques | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-09-29T17:00:12+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-03T02:18:30+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-8.png\" \/>\n\t<meta property=\"og:image:width\" content=\"874\" \/>\n\t<meta property=\"og:image:height\" content=\"413\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"Macro Malware Employs Advanced Sandbox-Evasion Techniques\",\"datePublished\":\"2016-09-29T17:00:12+00:00\",\"dateModified\":\"2025-06-03T02:18:30+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/\"},\"wordCount\":623,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-8.png\",\"keywords\":[\"computer security\",\"cybersecurity\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/\",\"name\":\"Macro Malware Employs Advanced Sandbox-Evasion Techniques | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-8.png\",\"datePublished\":\"2016-09-29T17:00:12+00:00\",\"dateModified\":\"2025-06-03T02:18:30+00:00\",\"description\":\"During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-8.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-8.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Macro Malware Employs Advanced Sandbox-Evasion Techniques\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Macro Malware Employs Advanced Sandbox-Evasion Techniques | McAfee Blog","description":"During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Macro Malware Employs Advanced Sandbox-Evasion Techniques | McAfee Blog","og_description":"During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-09-29T17:00:12+00:00","article_modified_time":"2025-06-03T02:18:30+00:00","og_image":[{"width":874,"height":413,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-8.png","type":"image\/png"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"Macro Malware Employs Advanced Sandbox-Evasion Techniques","datePublished":"2016-09-29T17:00:12+00:00","dateModified":"2025-06-03T02:18:30+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/"},"wordCount":623,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-8.png","keywords":["computer security","cybersecurity","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/","name":"Macro Malware Employs Advanced Sandbox-Evasion Techniques | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-8.png","datePublished":"2016-09-29T17:00:12+00:00","dateModified":"2025-06-03T02:18:30+00:00","description":"During the past couple of weeks, McAfee Labs has observed a new variant of macro malware. With this variant when we click on a doc file, we see","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-8.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-8.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/macro-malware-employs-advanced-sandbox-evasion-techniques\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Macro Malware Employs Advanced Sandbox-Evasion Techniques"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52880","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=52880"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52880\/revisions"}],"predecessor-version":[{"id":214928,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/52880\/revisions\/214928"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=52880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=52880"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=52880"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=52880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}