Macro Malware Adds Tricks, Uses MaxMind to Avoid Detection

By on

Macro malware continues to evolve and use new tricks to evade detection. This threat is responsible for downloading malicious Trojans such as Dridex and ransomware such as Locky.

Recently McAfee Labs has encountered a new variant of macro malware that uses new techniques to avoid executing in an undesirable environment. With this variant when we click on a doc file, we see some junk content and a request to enable macros. If a user clicks Enable Content, macros will be enabled and will download malicious content. (By default protected view is enabled, preventing malicious macros from running unless users enable them.)


McAfee Labs has previously blogged about macro malware using high-obfuscation algorithms and several other layers of evasion to avoid detection. Previous variants have used fudging techniques such as virtual machine awareness, sandbox awareness, and others. At first glance, it is difficult to guess the intentions of this macro malware.


The malware hides all strings that can give a hint of its behavior. To this point, we have seen two types of string obfuscation. In the first type, two parameters are passed to get the following string. The first parameter of the function is an obfuscated string and the second parameter is a junk string that needs to be removed from the first.


The following Python script decrypts the content:


With the second type of string obfuscation, only one string is passed to the function:


The Python script to decrypt the string:


In addition to string obfuscations, the malware checks the number of recently opened or accessed files. The execution exits if the number is less than three. This is a simple technique to avoid analysis because security researchers often use a fresh copy of a virtual environment that has no recently used files. The VBA code:


The macros employ a legitimate site for their malicious purposes. The threat actors use the MaxMind service to gather IP-based location data. (MaxMind provides location data for IP addresses.) The VBA code:


ResponseText1 contains the location, IP address, organization name, and other information. The malware checks whether the following names are contained in ResponseText1.


If any of these names are present, the malware stops. It avoids executing in several antimalware and web hosting organizations, as well as in some cases in Russia and North America. After execution the malware downloads malware families such as Ursnif, which steals banking information.

McAfee advises all users to keep their antimalware products up to date. McAfee products detect this malware as W97M/Downloader.

Analyzed MD5 hashes:

  • fac4245a1a3f9e4f5f4c9b727133837b
  • e3f93401a1494112d242c80333703b0f

2 comments on “Macro Malware Adds Tricks, Uses MaxMind to Avoid Detection

  • Devendra! Thanks for the article.
    So this malware do not attack the anti malware and web hosting companies but how they enter into the computer systems? Through email or downloaded files from internet? Is this specifically designed for servers or general PC too?

    • Devendra Singh says:

      Akash! Thanks for your comment,
      Above macro malware avoids execution if IP address belongs to any of the companies or locations contained in check list mentioned in blog.
      It enters computer systems through email and it is not specifically designed for servers, it works on general PCs too.


Leave a Comment

Similar articles

When you think of cybercrime, the first thing that comes to mind is most likely cybercriminals operating on the dark web. Last year, however, cybercriminals made the jump over to social media and cashed in big – $3 billion worth, as a matter of fact. With approximately 2.77 billion people using one social media account ...
Read Blog