PUA.MSOffice.VBA.maldoc

Overview

Type: PUA (Potentially Unwanted Application)

Destruction Level: Low

Prevalence: Low

 

What is Potentially Unwanted Application (PUA)?

PUA is considered as malwares that include adware, toolbar installation or other intentions, but in fact they are not as destructive as other malwares.
This malware category may perform activities that are not approved or expected by the user, and may be malicious, but some users consider the benefits of using such software more than their drawbacks and accept the responsibility for using them.

 

Technical Review

Indicators of Compromise (IoC)

In tools deployed by APT groups (like APT-19, APT10 and their derivatives like TA-410), other malware groups ( like Emotet data-stealing malware), and most cases of Cobalt Strike, the attack is often initiated with an Auto-Exec macro in Microsoft office.
In these methods social engineering is deployed to bypass the sandbox in the two following ways:

1. Using these signals, once the document is opened and if the macro was enabled, the malware will be executed (simple mode).

2.The macro is stored on the remote server (in template format),and utilizing remote template update or vulnerabilities related to remote module uploading ( like CVE-2017-0199 and its derivatives) is uploaded and executed in tmp fie.

3.First, the macro is stored on the remote server (in template format),then by using external template update or vulnerabilities related to remote module uploading ( like CVE-2017-0199 and its derivatives) the macro is uploaded and executed in tmp file.

 

How to deal with and clean the system?

In order to prevent the damages and since it is not usually possible to completely disable the macro because of the customers’ needs, Template uploading is automatically restricted with the following functions.

* AutoExec
* AutoOpen
* Document_Open
* Workbook_Open

Padvish antivirus detects this type of threat as “PUA.MSOffice.VBA.maldoc” and prevents its execution. You can exclude this signature (Signature exception), If you are sure that your files are clean and employees behaviors are safe.

  2 people found this article useful

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>