Month: March 2020

  • Maldoc drops DLL and executes via ExecuteExcel4Macro

    Behavioral information is a key indicator used to determine if an office document is malicious or not. I’ve recently seen a series of malicious office documents that lacked any observable process behavior – such as the execution of Powershell or JavaScript via cscript/wscript. As I began looking into this document, it became apparent why – […]

  • Maldoc uses Windows API to perform process hollowing

    A favorite technique by malware authors is to use macros in their office documents to utilize a normal system executable and replace the code inside, a technique known as “process hollowing”. The primary goal of this post is to identify this technique and understand how it is employed. I’ve also posted a video that walks […]

  • Maldoc uses RC4 to hide PowerShell script, retrieves payload from DNS TXT record

    Malware authors are constantly coming up with new and clever techniques to help avoid detection. In this maldoc, the authors employed several techniques to help complicate analysis and even evade sandboxes. The document begins with an image that instructs the user to enable content, which will cause the macros to execute. However, instead of immediately […]