Maldoc drops DLL and executes via ExecuteExcel4Macro

Behavioral information is a key indicator used to determine if an office document is malicious or not. I’ve recently seen a series of malicious office documents that lacked any observable process behavior – such as the execution of Powershell or JavaScript via cscript/wscript. As I began looking into this document, it became apparent why – it was using ExecuteExcel4Macro to load and execute a hidden DLL. Looking at the Macros Using Oledump, several macro streams where identified in this document (17 – 20, 23 – 24). Additionally, it contains a stream OLE 1.0 embedded data (see stream 4 above). This…

Read more