The new Locky ransomware has been making big headlines recently due to its reported links to the Dridex botnet. This week, the team at Wapack Labs took a closer look at a unique malicious macro that has been downloading Locky payloads for the past couple days.
Similar to Dridex, the macro is delivered via large scale phishing attacks and it is embedded in Microsoft Excel documents. The good news is the macro will not be launched upon rendering the host document, it requires user interaction in order to enable it.
All macro malware will either launch embedded files or download remote files. Variants that download malware have become increasingly popular as they trigger less static detections. Typically the download URLs that are embedded in these macros are obfuscated so as to make detection and analysis more difficult. Fortunately, these URL obfuscation tactics are often rudimentary and they also present unique artifacts for malware identification.
The Locky macro is no different. Close to 300 specimens were identified and every one makes use of the same simple URL obfuscation. This method is characterized by ASCII character codes which are delimited with |1. The following is an example observed in strings:
After removing the |1 delimiter and converting the remaining ASCII codes, we are left with the download URL which consists of a compromised website. Despite identifying hundreds of recent specimens in the past two days, only 17 distinct URL download sites were identified – all delivering the same payload.
All observed file names use the same naming convention which contains the prefix “Rechnung”, German for bill, followed by randomized hex ascii. Examples:
Among all of these Locky macros, there was no consistent AV detection ratio. Some had zero detection while others had over 20. Nevertheless, a large amount had poor detection with more than 40% detected by less than 10 AV vendors. Unfortunately, this poor AV detection exemplifies macro malware as a whole and explains the popularity of this tactic.
We suspect that we haven’t seen the last of Locky and that more of these will be popping up in the near future. Happy hunting and stay vigilant!
The following python code may be used to de-obfuscate the Locky macro URLs:
url = '1104|1116|1116|1112|1058|1047|1047|1110|1101|1119|1097|1121|1115|1045|1101|1117|1114|
url = url[1:]
url = url.split('|1')
url_int = 
for u in url:
decoded_url = ''.join(chr(i) for i in url_int)
The following yara rule will detect files that leverage the URL obfuscation observed in the Locky macro downloaders:
description = "Detects unique URL obfuscation seen in Locky macro downloaders"
author = "Chris Hall (email@example.com)"
$http = "1104|1116|1116|1112"
$exe = "|1046|1101|1120|1101"
all of them