Macro Virus Demo

A Macro is snippet of VBA (Visual Basic for Applications) code that is embedded into Microsoft Office programs – especially Excel and Word. 

When this bit of code is written for performing malicious actions, it is called a Macro Virus.

I’ve been a Windows programmer for over a decade now, and through I migrated to .NET, coding in classic VB is a still fun. I thought of creating a demo Macro “virus” and giving a hands-on on how it can be detected, and an idea of devastating it can be.

1. I have attached two files.

> CriticalFile.txt : This is just a simple text file, which is going to play sacrificial lamb

TaxReport.xls.xlsm : This is a Macro-enabled Excel file.

Note that it has an innocent (and plausible) name – so users may download it on good faith when they receive it through email.

Also, note the extension. It is .xls.xlsm.

Most Windows users have “Hide extensions for common file types” turned on in their folder settings – so they will only see “TaxReport.xls” when they download it to their desktop, without noting anything amiss.

2. What does this macro virus do?

As I want to play nice (relatively), on opening the excel file, all it does is look for “CriticalFile.txt” on your Desktop and delete it.

I hope it gives you an appreciation of what it can do if it weren’t playing nice!
It can delete real critical files on your system. Alter them. Transfer confidential files to remote locations. Lock down your PC. And yes, hold you at Ransom. Home-brewed Ransomware, anyone?

3. If you’d like to test it out, this is what you can do-

Download CriticalFile.txt. Save it on your desktop.

Download TaxReport.xls.xlsm. Save it on your desktop.

Double-click and open TaxReport.xls.xlsm.

If your Microsoft Office security is working well, it should warn you that “Macros have been disabled”. 

Go ahead and click on “Enable Content”.

Visually you’ll see nothing has changed. 

Go back to your desktop – you’ll notice that CriticalFile.txt is deleted!

A few things:

1. Did your anti-virus detect it? I have AVG, and it didn’t.

2. Did you file disappear? If it did not (good for you!) were you logged into a non-admin account? Do you think that matters?

3. Can you find the missing file in your recycle bin? (You shouldn’t – it has a hard permanent delete)

What were the traps-

> Misleading filename (and extension) to gain trust and getting user to download and open the file

> Clicking on “Enable Content”

This Macro virus was spread through phishing and can grow to become a Ransomware!

(If you did download the file, please go ahead and delete it, and thank you for trusting me!)

Do let me know any other observations you made or thoughts you have.

Thank you!