Threat Research

Malicious Office Macros: Detecting Similarity in the Wild | Perception Point

Securonix

Attackers rely on Office macros and transformation toolkits to preserve malicious behavior while changing signatures, making similarity detection essential for modern defenses. The article showcases real-world similarity patterns in macro malware (identifier shuffling, constant modification, and primitive reuse) and describes Perception Point’s approach to detect such similarities by code-fragment matching. #OfficeMacros #PowerShell

Keypoints

  • Malicious samples are often transformed (obfuscation, packing, name shuffling, patching) to preserve behavior while yielding unseen signatures, complicating signature-based detection.
  • Similarity detection can improve malware detection by flagging samples that are behaviorally alike to known malicious ones.
  • Macros in Microsoft Office (VBA) are a common infection vector and can automate file/network access and command execution.
  • Identifier shuffling can produce macros that are semantically the same but differ in function/variable names, still triggering the same malicious flow via events like Worksheet_Change.
  • Modifying constants and obfuscated strings show how attackers rebuild commands (e.g., PowerShell) with different inputs, including network locations.
  • Reusing primitives: different encoding/decoding sequences can be swapped while reusing a common decoding routine (e.g., decodeBase64) and shared data-transport routines (e.g., writeBytes).
  • Perception Point’s solution decomposes macros into code fragments and matches them against fragments seen in other samples to detect related campaigns with high precision.

MITRE Techniques

  • [T1047] Windows Management Instrumentation – The macro creates an ActiveX object via CreateObject with winmgmts:Win32_Process to construct arguments and invoke Create, leading to a PowerShell payload execution. “an ActiveX object is created by invoking the CreateObject API with the winmgmts:Win32_Process class”
  • [T1059.001] PowerShell – The process uses a PowerShell command to download and execute a malicious payload. “PowerShell command that downloads and executes a malicious JavaScript payload”
  • [T1027] Obfuscated/Compressed Files and Information – The macro obfuscates constants and uses Replace to transform strings into a PowerShell command. “First, defines an obfuscated constant string (line 2), and then uses the Replace API to perform several transformations (lines 3-8) which eventually result in a PowerShell command that will be executed later in the function Auto_open using the Shell API.”
  • [T1132] Data Encoding – The macros reuse data-encoding primitives, notably a decoding routine that handles base64-encoded data. “the decoding procedure, the function decodeBase64, which performs a standard decoding of a base64-encoded string”
  • [T1105] Ingress Tool Transfer – The PowerShell payload download/execution involves fetching a malicious payload from a network location. “PowerShell command that downloads and executes a malicious JavaScript payload”

Indicators of Compromise

  • [File Name] calc.exe – a command in the macro flow that is used to trigger execution. calc.exe
  • [Hash] 0005144ebb03d2f5a5b17e21362c628ddc1705e910cfd56032b7b55c932b68da
  • [Hash] 20e2093192e7b7b96c067cd8f16cee4ccb51e8c10676050646877bc83dc34a27
  • [Hash] 31e93f3226377174335eabda90bc771425043cf412dd91b257f1814be085c715
  • [Hash] 6586c7399b24c4b29c2173ec47a733cab38abe3d175b47bbdd7188e3ab1dd0c3
  • [Hash] 536eaf59d72519d5e1cc52e98e212fdf52855f1828d3326fcd22be5071b231a0
  • [Hash] b5f6912f1291dc26442e02bb2e79c7c13613a87d23ddf0c294c9d02b231aab70

Read more: https://perception-point.io/blog/malicious-office-macros-detecting-similarity-in-the-wild-2/