Stop Scanning My Macro

FireEye Labs detected an interesting evasion strategy in two recent, large Dridex campaigns. These campaigns changed the attachment file-type and location of malicious logic in an attempt to avoid scanners.


Both campaigns used an invoice theme and came from a wide variety of sending addresses, with messages being sent to more than 40 countries across all industries, as seen in Figure 1 and Figure 2. The following subject lines were used:

Invoice <xxxx> from Tip Top Delivery
Urgent: IMAGINiT invoice <xxxx> is Past due

Figure 1. Affected Countries

Figure 2. Affected Industries

What made these two campaigns interesting was the major shift in the downloader techniques used to evade signature-based detection. The following are some of the key techniques that were used:

  1. Disguising WordprocessingML as RTF file to evade type specific signatures.
  2. Keeping the main malicious macro clean to avoid macro-based detection. The malicious VBA code was instead stored in TextBox objects located within the Forms, as seen in Figure 4.
  3. Dropping a VBE based downloader that could not be seen without execution of the malicious RTF file. This downloader would then download and execute the malicious payload.
1.    Masquerading WordprocessingML as RTF file

While Dridex has traditionally been delivered using Excel, Word, or JavaScript files, these two large campaigns involved WordprocessingML (an XML format that is supported by Microsoft Word to describe a Word document) masquerading as RTF files. This seems to be a trend, as we saw a similar technique in previous campaigns where a DOCM file was disguised as RTF. Figure 3 shows a screenshot of the Tip Top campaign, set as high priority.

Figure 3. Designed Campaign

2.    Keeping the main macro clean

In the extracted macro, it is interesting to note that there is almost no malicious content that could trigger static detection. In fact, a majority of the key ingredients are stored in text boxes within created forms, shown in Figure 4.

Using this, it defeats signature-based scanning, which tries to detect known malicious macro based on past knowledge. At the time of discovery, most of the samples that were observed were detected by only one out of 56 vendors on VirusTotal, which indicates that modifications made to these malicious documents was likely an effort to avoid detection.

Figure 4. Secret Macro

3.    VBE Downloader

Once the malicious macro is launched, the Word document drops a malicious VB Encoded script in a temporary folder, as shown in Figure 5.

Figure 5. Location of the VBE

Based on our analysis, the VBE simply downloads Dridex from the malware server and installs it on infected machines, as shown in Figure 6.

Figure 6. Decoded VBE


The authors left Cyrillic strings in the XML, which could possibly be used as an IOC to hunt for similar documents.

  • <wx:uiName wx:val="Основной шрифт абзаца"/> (translates to "The main text of the paragraph")
  • <wx:uiName wx:val="Обычная таблица"/> (translates to "table Normal")
  • <wx:uiName wx:val="Нет списка"/> (translates to "No List")
  • <o:LastAuthor>павуваыва</o:LastAuthor>

Cybercriminals continue to innovate, this time demonstrating a creative way of making threats harder to detect using static signatures. To remain secure, it is important to stay vigilant and proactive in three key areas: user awareness, policy and technology.

Indicators of Compromise

1.     IMAGINiT campaign


Network Indicator
GET /michigan/map.php HTTP/1.1

2.     Tip Top Delivery campaign


Network Indicator
GET /michigan/map.php HTTP/1.1