Microsoft is warning of an innovative new technique attackers are using to sneak macro malware past virus detection engines and add to the already huge uptick in reported macro attacks.
According to researchers at Microsoft’s Malware Protection Center, they stumbled upon the macro technique in a file containing VBA project scripts with a sample of well-known malicious macro malware called TrojanDownloader:O97M/Donoff. It wasn’t the malware that piqued Microsoft’s interest, it was the attacker’s never-before-seen obfuscation technique.
It wasn’t immediately obvious that the macro file was actually malicious, wrote Marianne Mallen and Wei Li, both antivirus researchers at the Microsoft Malware Protection Center, who co-authored a blog post earlier this week on their discovery. “It [was] a Word file that contains seven VBA modules and a VBA user form with a few buttons (using the CommandButton elements),” wrote both authors.