Macro Malware Targets Macs

By on

Macro malware has been spreading for years. New techniques arise all the time to hide malicious code and thus increase the difficulty of analysis. However, just targeting Microsoft Windows no longer seems to be enough for the malware authors. The Mac appears to be the new challenge, and attackers appear to be rising to this challenge.

In previous versions of macro threats, the malicious code was hidden in user forms and macros in Microsoft Office files. (See Macro Malware Associated With Dridex Finds New Ways to Hide.) The latest member of this family seems to have learned a new trick or two, as we now will see.

  • The malicious code is now hidden in the properties of Excel worksheet files:

A malicious Excel file ready to be executed.

When the file is opened we see this message.

If we access the file’s properties, we can read the Powershell script code.

The full content in Properties.

Location of hidden content.

An extract of the Powershell content.

  • The malicious code runs Powershell, which downloads malware after the victim enables macros.

  • The macro searches for the hidden code in Properties and runs it using Powershell, but this works only on Windows systems. How does the malicious code execute on the Mac? The malware developers use MacScript:

The macro code verifies whether WScript.Shell is present. In case of an error, the code executes the module macshell:

This script runs the code on the Mac. The script runs with the same permissions as Microsoft Office.

As we ran this analysis, the control server contacted by this malware sample was not running; so we were unable obtain the payload.

The MD5 hash for the samples we found:

  • 952A36F4231C8628ACEA028B4145DAEC

Full descriptions of the W97M and X97M malware families are available in our Threat Advisories:

During our analysis, the malware attempted contacted the following server (with URL modified for safety):

  • hxxp://

McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect this malicious Office Trojan as X97M/

Leave a Comment

Similar articles

As ransomware threats become more sophisticated, the tactics cybercriminals use to coerce payments from users become more targeted as well. And now, a stealthy strain is using deceptive techniques to mask its malicious identity. Meet CryptoMix ransomware, a strain that disguises itself as a children’s charity in order to trick users into thinking they’re making ...
Read Blog
Think about it: In the course of your everyday activities — like grocery shopping or riding public transportation — the human body comes in contact with an infinite number of germs. In much the same way, as we go about our digital routines — like shopping, browsing, or watching videos — our devices can also pick ...
Read Blog
Microsoft recently patched a critical flaw in Internet Explorer’s scripting engine that could lead to remote code execution. The vulnerability is being exploited in the wild and was originally reported by a researcher from Google’s Threat Analysis Group. Microsoft released an out-of-band patch to fix the vulnerability before the normal patch cycle. McAfee products received ...
Read Blog