{ "id": "0ae9ec88-7f26-48cd-8f5b-09db1759fd6e", "created_at": "2026-04-06T00:16:23.852628Z", "updated_at": "2026-04-10T03:33:12.436514Z", "deleted_at": null, "sha1_hash": "4b048db96ed4d3cb4f0fe703ebcc95af9889cc95", "title": "4 Types of Dropper Malware in Microsoft Office \u0026 How to Detect Them | Deep Instinct", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 798385, "plain_text": "4 Types of Dropper Malware in Microsoft Office \u0026 How to Detect\r\nThem | Deep Instinct\r\nBy Bar BlockThreat Intelligence Researcher\r\nPublished: 2022-05-24 · Archived: 2026-04-02 10:51:58 UTC\r\nMicrosoft Office droppers have been a favorite of threat actors for years, continuously finding and exploiting\r\nthem. Cybersecurity vendors take note and block these entry routes. It‘s a perpetual cat and mouse game and,\r\nunfortunately, bad actors typically have the upper hand – at least for a short time. And as AI-based solutions have\r\nmatured and gained market share these tools have also been targeted for evasion.\r\nThis blog will review a variety of VBA droppers that employ different bypass techniques, including an analysis of\r\nan evasion method used in the recent Emotet wave. We will also introduce a Python script I wrote to increase the\r\nlikelihood of detecting these malware threats.\r\nYou Got Malware — Aggah’s Use of MsgBox Comments\r\nAggah, a threat actor group that has been active since 2019, has delivered many payloads, mostly RevengeRAT, to\r\nnumerous victims. This group is particularly adept at working with Microsoft Office documents and employs\r\nvarious methods in their VBA scripts to make them stealthier. One of these methods, which appears to be used to\r\nevade AI-based cyber tools, is the use of comments containing the string ‘MsgBox.’\r\n‘MsgBox’ is a function used in VBA to prompt message boxes, which appear in many Visual Basic scripts and is\r\nusually benign. Having this string in the comments of a VBA code increases the likelihood that it will be classified\r\nas benign by an AI module. If the code is short and the lengthy ‘MsgBox’ comments comprise a substantial part of\r\nit, this will further increase the chances that it will be classified as benign.\r\n An Aggah dropper's VBA code\r\nA Command in a Comments Stack — Emotet’s Use of Random Sentences\r\nWe have seen recent Emotet VBA droppers containing long comments composed of random words. As we see in\r\nthe figure below, the executed command and the variable containing it were not obfuscated, just floating in a sea\r\nof long random comments.\r\nUsing these excessive comments might fool both analysts and AI solutions (the former might miss the malicious\r\nMSHTA execution when looking at the code, and the latter might give more consideration to the benign features,\r\naka the excessive comments, than to the malicious ones).\r\nFigure 2: An Emotet dropper's VBA code, the actual commands are highlighted in yellow. Note: a few long comments were redacted,\r\nsince each of them is just a compilation of random words and none of them contribute to the understanding of the code’s functionality.\r\nhttps://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office\r\nPage 1 of 8\n\nHomegrown Obfuscation — Dridex’s Usage of Self-Created Functions \r\nOne of the most interesting droppers we have recently observed was crafted by the notorious threat group Dridex.\r\nIn the following example, Dridex employs several sophisticated methods aimed at increasing its likelihood of\r\nsuccess — delivering a payload successfully and without detection.\r\nAs we see below, the script retrieves strings stored in Excel cells and runs them through the ‘slow’ function, which\r\nreturns a de-obfuscated version of its input. The first string is collected from the “B101” cell and is translated into\r\n“WScript.Shell,” the second is assembled by activating VBA’s “Transpose” and “Join” commands on the cells\r\nrange “K111:K118.” \r\nThe Dridex dropper’s VBA\r\noutput. Note: some parts of the code were redacted, since they are irrelevant to this blog.\r\nAfter retrieving the data from the cells, the following is received:\r\nTo de-obfuscate this part, I replaced every “${PJ}” and “${GAB}” mentioned in comma and quotation mark,\r\nrespectively. I also replaced the indexed placeholders with the appropriate strings and removed unnecessary\r\ncharacters, such as backticks.\r\nThis resulted in the following code:\r\nhttps://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office\r\nPage 2 of 8\n\nThis is obviously obfuscated as well — the main executed string is base64 encoded and deflate compressed. Of\r\nnote, the attackers went the extra mile and tried to hide their use of the ‘iex’ command (short for ‘Invoke-Expression’) by retrieving the characters ‘i’ and ‘e’ from the value of the environment variable ‘pshome,’ which\r\ncontains the path to the PowerShell directory, as can be seen in the highlighted section above.\r\nAfter base64 decoding and decompressing the base64 encoded string, yet another obfuscated string is received. \r\nAfter reassembling the strings and removing unnecessary characters, the following is received:\r\nhttps://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office\r\nPage 3 of 8\n\nJust as before, base64 decoding and decompression are required in order to retrieve the code of the next stage.\r\nHowever, this time Dridex employs something we have not seen in previous stages — aliases.\r\nIn the above snippet, ‘nal’ (‘New-Alias’) and ‘sal’ (‘Set-Alias’) are used to set ‘cf’ and ‘ox’ as aliases for ‘New-Object’ and ‘iex,’ respectively.\r\n“.(‘yi’)(${aB})” returns another call to the ‘yi’ function, which in turn provides the following output:\r\nAnd after some cleanup, we can finally get a semi-clear picture of what the dropper tries to do:\r\nAfter going over the above code (and adding a few notes for myself along the way, which I left in the snippet), I\r\nfinally reached a verdict regarding the dropper’s true intention: it retrieves the user’s ID, removes the hyphens it\r\ncontains, and assembles a URL that looks like this https://geronaga[.]com/gero?myHyphenLackingUID. It then\r\ndownloads a file to the user’s temp directory, decodes and decrypts it, executes the file’s content using ‘regsvr32’\r\nand then, finally, deletes this content to avoid leaving any traces. \r\nSince the domain is inactive and the focus of our blog is to present evasion techniques in Microsoft Office\r\ndroppers, I did not expand my analysis of the downloaded file. However, since we know that ‘regsvr32’ is used to\r\nhttps://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office\r\nPage 4 of 8\n\nexecute the file’s content and that the payload is a DLL, we can assume that the downloaded file contains a DLL\r\nregistration command for the payload.\r\nFor a more expanded analysis of this dropper, you can read this excellent blog.\r\nLess Complicated, More Files\r\nSometimes, simple obfuscation techniques can be sufficient to avoid detection, especially if the infection flow\r\ninvolves multiple stages and files written in different scripting languages, as demonstrated below in the analysis of\r\nan Emotet dropper from the malware family’s recent resurrection.\r\nThe Emotet dropper's VBA output. Note: some parts of the code were redacted, since they are irrelevant to this blog, moreover, some\r\nof them are never executed.\r\nAs you can see, the VBA function “Cells” is used in this script to extract contents of specified Excel cells and use\r\nthem in the VBA script. Without knowing what these cells contain, it is difficult to determine whether the file is\r\nmalicious or not, especially since none of the commands seems damning enough.\r\nTo get a clearer picture, I replaced all the cells highlighted functions in the above code snippet with the matching\r\nstring values, highlighted in yellow in the below code snippet.\r\nThis provided greater insight into the script’s functionality; the “Wscript.shell” string suggests Wscript will be\r\nused to execute additional commands, while \"c:\\programdata\\ughldskbhn.bat\" and \"c:\\programdata\\yhjlswle.vbs\"\r\nimply that Emotet uses these Batch and VBS files in this infection flow.\r\nThe strings highlighted in green in the above snippet are replaced in the lengthy strings extracted from the Excel\r\ncells by an empty string using the VBA “Replace” function. Padding parts of the actual commands with these\r\nstrings decreases the chances of them being flagged during a static analysis. After the VBA “Replace” command is\r\nrun, the following is received:\r\nWith the information from the above decoded strings in hand, I could determine that the next stage in the infection\r\nflow is the VBS script, which the VBA dropper executes using “wscript.” Since there were no direct calls to the\r\nBAT script in the VBA code, I could assume that, if used, it would be executed from the VBS script.\r\nBasically, the VBA dropper only creates the VBS and BAT files, writes content into each of them, and then the\r\nVBS script takes center stage.\r\nhttps://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office\r\nPage 5 of 8\n\nc:\\programdata\\yhjlswle.vbs’s original content\r\nAs can be seen above, the VBS script contains several commands, all concatenated using colons. After separating\r\nthe commands into different lines and activating the “replace” functions, I received the following:\r\nBasically, the script executes the previously created Batch file and then tries to execute\r\n“c\\:programdata\\x08neuihlows.dll,” while providing it with the value “hjyldksfkw3” using rundll32. Since this is\r\nthe first mention of “x08neuihlows.dll” and the VBS file executes the Batch script before running the DLL, it is\r\nfair to assume that the BAT script is in charge of dropping the executable in the right location.\r\nJust like the VBS file uses colons to concatenate commands, the BAT script uses ampersands to do the same:\r\nIn short, the script sets a few variables, and concatenates their values in the below command.\r\nWhich translates into the following:\r\nAfter base64 decoding the PowerShell script, I discovered how Emotet downloads their DLL payload and from\r\nwhere.\r\nAs can be seen below, the variable “MJXdfshDrfGZses4” contains a list of URLs which the script goes over using\r\na “for” loop. Each time the “for” loop runs, it tries to download the Emotet DLL into\r\n\"c:\\programdata\\bneuihlows.dll\" using “Invoke-WebRequest.” Then, it checks if the downloaded file’s length is\r\ngreater than 47436 bytes. If so, it means that the DLL was downloaded successfully, and the loop breaks.\r\nThe PowerShell code used to retrieve the Emotet payload\r\nInteresting Cells and Where to Find Them\r\nAs we see in the above analysis, storing the actual commands in Excel cells instead of in the VBA code itself can\r\nbe a good way to avoid detection because when a static analysis mechanism goes over the VBA code, it cannot\r\ndetermine whether the executed content is malicious or not. Since Excel cells have benign uses in VBA code as\r\nwell, a security product may deem them as benign, to avoid a false positive.\r\nOf course, if the cells are replaced with their content, the likelihood for detection increases. So I tried to find a\r\nway to replace the “cells” function calls with the right strings without running the VBA code during the analysis. \r\nhttps://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office\r\nPage 6 of 8\n\nDuring my research, which focused on OOXML files, I found two files, which Excel creates by default, that could\r\nhelp achieve this goal: “sharedStrings.xml” and “xl/worksheets/sheetName.xml.” \r\nThe first file, “sharedStrings.xml,” contains all the strings in the Excel file. The class SharedStringItem (ssi)\r\nrepresents string items (si) and each si element contains a text (t). The file contains unique strings, each\r\nrepresenting the full content of one or more Excel cells.\r\nA SharedStrings.xml example\r\nTo match the strings to the right cells, we need a cell to string mapping — this is where\r\n“xl/worksheets/sheetName.xml” comes into the picture. In OOXML Excel files, data containing cells will be\r\nmapped in an XML file, which will be found in the following path- “xl/worksheets/sheetName.xml,” for example,\r\nthe cells of “sheet1” will be mapped in “xl/worksheets/sheet1.xml.” Each one of these cells mapping files contains\r\na tag called “SheetData,” which contains a “row” tag for each row in the sheet that contains data. Each “row”\r\nentry contains “c” (cell) entries. Cells that contain strings have their ‘t’ (type) values set to ‘s’ and their ‘v’ (value)\r\ntags contain an integer that is the index of the ‘si‘ object whose string the cell contains in “sharedStrings.xml.”\r\nCells that contain other types of data, such as integers and floats, have it contained in their ‘v’ tags.\r\nAn example of an “xl/worksheets/sheetName.xml” file\r\nBy writing a script that extracts that data, matches cells to their appropriate values, and replaces “cell” function\r\ncalls with these values, I could make the script less obfuscated and increase the likelihood of it being flagged by a\r\nstatic analysis mechanism. I also addressed the VBA “replace” functions issue and mimicked its functionality in\r\nmy code.\r\nThe script is still in the works and currently handles only the “cells,” “transpose,” and “replace” functions. In\r\naddition, it only works on OOXML files and expects to get the VBA code as an input (I used oledump to extract it\r\nfrom examined Office files). There is still much work to do and cases to address, such as use of variables in\r\nfunction calls, e.g.: “cells($i, $j)” and of OLE files.\r\nPrevention, Detection, and Everything in Between\r\nObfuscated droppers are more difficult to detect — they contain intentionally broken strings that evade static\r\nsignatures, store malicious content in Excel cells, and use excessive comments in the hope of hiding their\r\nmalicious content. But difficult does not mean impossible. Some patterns can still be signed statically, other\r\nbehaviors can be detected dynamically, and if you want to take the bulldozer approach, you can just forbid all\r\nscript executions (or at least most of them).\r\nConclusion\r\nDeep Instinct’s agent uses deep learning to prevent malicious droppers, ensuring they can’t execute in your\r\nenvironment. The Deep Instinct Prevention Platform stops known, unknown, and zero-day threats with the highest\r\naccuracy and lowest false-positive rate in the industry. We stop attacks before they happen, identifying malicious\r\nfiles in \u003c20ms, before execution.\r\nhttps://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office\r\nPage 7 of 8\n\nIf you’d like to see the platform in action for yourself, we’d be honored to show you what true prevention looks\r\nlike. Please request a demo.\r\nIndicators of Compromise (IoCs)\r\n0042404ac9cbe7c082b9c0ae130e956ab7989cfa72a3f3b0c7f2226e23a6c6cb Emotet (Excel cells method) Office\r\ndropper\r\n40a1e0aa0e580e2a15bbfd70ba4b89d3dd549bdc7bc075a223f12db0ddd2195d Emotet (Excel cells method) VBA\r\ncode\r\ned7c68c3c103beaa7e5f30a3b70a52bb5428ce1498b7f64feda74342f93e16fe Emotet (excessive comments method)\r\nVBA code\r\n028a5447d36c7445e3b24757d5cb37bafa54c5dfa7c3393fa69dd26e278442a4 Emotet (excessive comments\r\nmethod) Office dropper\r\n9caed14e7f7d3e4706db2e74dc870abff571cce715f83ef91c563627822af6ad Dridex Office dropper\r\n4f5ecf2c3073edd549e8ea2b1e65d8c478f3390567cffa3c909d328a3969ddd8 Dridex VBA code\r\ncb9a5f0ad26cbb7b9f510b80df97f0045d7232d31cfde3cbce095d1c88c90e89 Aggah VBA code\r\nSource: https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office\r\nhttps://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.deepinstinct.com/blog/types-of-dropper-malware-in-microsoft-office" ], "report_names": [ "types-of-dropper-malware-in-microsoft-office" ], "threat_actors": [ { "id": "b0d34dd6-ee90-483b-bb6c-441332274160", "created_at": "2022-10-25T16:07:23.296754Z", "updated_at": "2026-04-10T02:00:04.526403Z", "deleted_at": null, "main_name": "Aggah", "aliases": [ "Operation Red Deer", "Operation Roma225" ], "source_name": "ETDA:Aggah", "tools": [ "AgenTesla", "Agent Tesla", "AgentTesla", "Aggah", "Atros2.CKPN", "Bladabindi", "Jorik", "Nancrat", "NanoCore", "NanoCore RAT", "Negasteal", "Origin Logger", "Revenge RAT", "RevengeRAT", "Revetrat", "Warzone", "Warzone RAT", "ZPAQ", "Zurten", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "28851008-77b4-47eb-abcd-1bb5b3f19fc2", "created_at": "2023-06-20T02:02:10.254614Z", "updated_at": "2026-04-10T02:00:03.365336Z", "deleted_at": null, "main_name": "Hagga", "aliases": [ "TH-157", "Aggah" ], "source_name": "MISPGALAXY:Hagga", "tools": [ "Agent Tesla" ], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434583, "ts_updated_at": 1775791992, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4b048db96ed4d3cb4f0fe703ebcc95af9889cc95.pdf", "text": "https://archive.orkl.eu/4b048db96ed4d3cb4f0fe703ebcc95af9889cc95.txt", "img": "https://archive.orkl.eu/4b048db96ed4d3cb4f0fe703ebcc95af9889cc95.jpg" } }