Office Macro Malware

Timeline: The Cat and Mouse

1995 ← Attack emerges → 2000 ← Industry responds → 2016 ← Resurgence → 2022 ← Killed → Present

The Evolution

Key Events with Sources

Overview

Office macros (VBA - Visual Basic for Applications) became the most successful malware delivery mechanism in history. For over 25 years, attackers used macros to download and execute malware. Microsoft’s 2022 decision to block macros from internet sources by default effectively killed this attack vector.

The Attack

How Macro Malware Works

1. Victim receives email with .doc/.xls attachment
2. Victim opens document
3. Document contains VBA macro
4. Macro executes:
   - Downloads payload from attacker server
   - Drops payload to disk
   - Executes payload
5. Malware (ransomware, banker, RAT) now running

VBA Macro Example

Sub AutoOpen()
    ' Runs automatically when document opens
    Dim shell As Object
    Set shell = CreateObject("WScript.Shell")
    shell.Run "powershell -enc [BASE64_PAYLOAD]"
End Sub

Historical Milestones

Concept Virus (1995):

• First macro virus
• Spread via Word documents
• Proved macros could be malicious

Melissa (1999):

• Mass-mailing macro virus
• Forwarded itself to Outlook contacts
• Caused widespread email outages

ILOVEYOU (2000):

• VBScript, not Office macro, but related
• Demonstrated script-based malware potential
• Billions in damages

Modern Campaigns (2016-2022):

• Emotet, TrickBot, Dridex, QakBot
• Professional malware distribution
• “Enable Content” social engineering
• Led to ransomware infections

Social Engineering Lures

Attackers needed users to click “Enable Content”:

┌────────────────────────────────────────────┐
│  PROTECTED VIEW                            │
│  This file came from the internet.         │
│  [Enable Editing]                          │
└────────────────────────────────────────────┘

┌────────────────────────────────────────────┐
│  SECURITY WARNING                          │
│  Macros have been disabled.                │
│  [Enable Content]                          │
└────────────────────────────────────────────┘

Common Lures:

• “Enable editing to view content”
• Document appears blank without macros
• Fake error messages
• “Created in older version of Office”
• Invoice/shipping themes

Defense Evolution

Phase 1: Warnings (2000s)

Microsoft added prompts:

• “This document contains macros” warning
• Users could choose to enable or disable
• Problem: Users clicked “Enable” reflexively

Phase 2: Protected View (2010)

Documents from internet opened in sandbox:

• Read-only by default
• No macro execution
• User must click “Enable Editing” then “Enable Content”
• Problem: Two clicks, but users still clicked

Phase 3: Mark of the Web (MOTW)

Windows tracks file origin:

file.docm:Zone.Identifier
[ZoneTransfer]
ZoneId=3  (Internet)

Office checks MOTW to apply Protected View.

• Problem: MOTW could be stripped (archives, ISOs)

Phase 4: Macros Blocked (2022)

Microsoft’s nuclear option:

• Macros in files from internet: BLOCKED
• No “Enable Content” option
• Must explicitly unblock in file properties
• Or move to Trusted Location

┌────────────────────────────────────────────┐
│  BLOCKED CONTENT                           │
│  Macros in this file are blocked because   │
│  this file came from the internet.         │
│  [Learn More]                              │
└────────────────────────────────────────────┘

Attacker Adaptation

With macros blocked, attackers pivoted:

Container Files

ISO/IMG Files:

• Mount as virtual drive
• Contents don’t have MOTW (initially)
• Contains LNK → DLL → malware

ZIP with LNK Files:

• LNK (shortcut) executes command
• Points to LOLBin or payload

OneNote Attachments

• .one files allow embedded objects
• Click to run embedded script
• Microsoft later added restrictions

HTML Smuggling

• JavaScript constructs payload in browser
• Downloads as blob (no MOTW initially)
• See separate entry

XLL Add-ins

• Excel add-in files (.xll)
• Native code execution
• No macro warning
• Microsoft added blocks in 2023

Current State

Status: Limited

Macro malware is effectively dead for initial delivery:

Still Works When

• Documents in Trusted Locations
• Macros enabled by policy
• MOTW somehow stripped
• Document shared internally (not from internet)

Detection Guidance

Legacy Detection

If still seeing macro attempts:

file.extension IN ("doc", "docm", "xls", "xlsm", "xlsb")
AND file.has_macros = true
AND file.source = external

Behavioral Indicators

Office process spawning:

• WINWORD.EXE → cmd.exe
• WINWORD.EXE → powershell.exe
• EXCEL.EXE → wscript.exe

Post-2022 Focus

Monitor for successor techniques:

• ISO/IMG file attachments
• OneNote attachments
• HTML files with JavaScript
• LNK files in archives
• XLL add-in files