Skip to main content
Skip to main content
Microsoft Security

Before you enable those macros…

  • Microsoft Defender Security Research Team

Office 365 client applications now integrate with AMSI, enabling antivirus and other security solutions to scan macros and other scripts at runtime to check for malicious behavior.

This is part of our continued efforts to tackle entire classes of threats. Learn more:

Office VBA + AMSI: Parting the veil on malicious macros

The Microsoft Malware Protection Center (MMPC) has recently seen an increasing number of threats using macros to spread their malicious code. This technique uses spam emails and social engineering to infect a system.

Using macros in Microsoft Office can help increase productivity by automating some processes. However, malware authors have also exploited these capabilities. Since Microsoft set the default setting to “Disable all macros with notification”, the number of macro-related malware threat has declined. More recently we have seen new threats emerging that include some form of social engineering to convince users to manually enable macros and allow the malicious code to run.

Two recent macro downloaders that we have seen spreading through spam email campaigns are TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir. These recent campaigns are one example of an increasing trend of macro malware targeting home users and enterprise customers. These threats predominantly target our customers in the US and UK.

Figure 1: Adnel and Tarbir encounters peaked mid-December, 2014

Figure 2: Regional distribution of Adnel and Tarbir encounters during December 2014


We have seen the spam emails spreading these threats use subject lines such as:

  • ACH Transaction Report
  • DOC-file for report is ready
  • Invoice as requested
  • Invoice – P97291
  • Order – Y24383
  • Payment Details
  • Remittance Advice from Engineering Solutions Ltd
  • Your Automated Clearing House Transaction Has Been Put On

Figure 3: Recent spam campaigns use usually money-related subject lines to entice users to open the malicious email attachment

Similar to other malware that spreads through malicious binary email attachments (for example, TrojanDownloader:Win32/Upatre), macro malware serve as an infection gateway. Once the gate is opened, in this case by opening the email attachment with macros enabled, whatever is on the other side of the gate (the malware), will enter and infect the system.

We have seen the email attachments in the Adnel and Tarbir campaigns using the attachment file names similar to those below:

  • 20140918_122519.doc
  • 813536MY.xls
  • ACH Transfer 0084.doc
  • Automated Clearing House transfer 4995.doc
  • BAC474047MZ.xls
  • BILLING DETAILS 4905.doc
  • CAR014 151239.doc
  • ID_2542Z.xls
  • Fuel bill.doc
  • ORDER DETAILS 9650.doc
  • Payment Advice 593016.doc
  • SHIP INVOICE 1677.doc

These names are again designed to look like legitimate payment files and use social engineering to convince recipients to open them. Upon opening the Microsoft Office file (in this case a Word document), a user will be prompted to enable macros. By default, the macros in Microsoft Office are set as “Disable all macros with notification”. Until they are manually enabled, the malware code cannot run.

Imagine this blocking of untrusted macros is the lock on the gate, and the key to open the lock is user consent. A simple click enables the untrusted macro to run, which give the malware access to the system. This is where another social engineering trick comes in. The malware authors provide step-by-step instructions to trick the user to enable the untrusted macros by.

The following screenshot shows the contents of a spam email attachment spreading TrojanDownloader:O97M/Tarbir.

Figure 4: The malware masquerades itself as a Microsoft Office notification to mislead users into enabling macros

The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button. When they do, the macro executes and downloads its payload, which is to download other malware, including TrojanDownloader:Win32/Drixed.B.

To avoid further infection from these malware types, keep this in mind:

  • A file which contains a receipt or billing statement, most of the time does not need to have any macros in it.
  • Be cautious of unsigned macros and macros from an untrusted source. Macro malware are usually unsigned.
  • Some macro malware leave the document intentionally empty, relying on the user to think that they need to enable the macro so that they can see something. Beware of such tricks.

Microsoft security products, such as Microsoft Security Essentials, include detection for TrojanDownloader:W97M/Adnel and TrojanDownloader:O97M/Tarbir. To help stay protected we recommend you keep your security software up-to date.

We also encourage people to join our Microsoft Active Protection Service Community (MAPS) and take advantage can take advantage of the Microsoft cloud protection service.

Alden Pornasdoro


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.