{
	"id": "4edd14c9-fc89-42d5-9b25-598a47fa2276",
	"created_at": "2026-04-06T00:07:37.372262Z",
	"updated_at": "2026-04-10T03:21:11.211471Z",
	"deleted_at": null,
	"sha1_hash": "96f5e035f42a35f79e18ff5c0a818ba600a13a7b",
	"title": "Malicious Office files using fileless UAC bypass to drop KEYBASE malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 497571,
	"plain_text": "Malicious Office files using fileless UAC bypass to drop KEYBASE\r\nmalware\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 18:36:09 UTC\r\nThis is a \"Guest Diary\" submitted by Ismael Valenzuela and Marc Rivero. Interested in writing a guest diary? Let us\r\nknow via our contact page. \r\nMacro based malware that hides in Microsoft Word or Excel documents is nothing new to Incident Responders and\r\nMalware Analysts.\r\nHowever, something that caught our attention in the last few days was the use of a 'fileless' method to bypass UAC\r\nimplemented in a malicious Excel file. This method leverages eventvwr.exe and was described in detail by the\r\nEnigma0x3 team in this post: https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/\r\nBypassing UAC is nothing new either (see the UACME project created by hfiref0x). In fact, a few days ago we knew\r\nof a new Dridex sample that attempts to bypass UAC by using application compatibility databases\r\n(http://blog.jpcert.or.jp/2015/02/a-new-uac-bypass-method-that-dridex-uses.html). What is most interesting about the\r\nmethod described by the Enigma0x3's team, however, is that it doesn't require any kind of privileged file copy, code\r\ninjection, or placing a DLL anywhere on the disk.\r\nThis particular Excel file employs this UAC bypass method to download and execute a malicious binary that is part of\r\na well-known data-stealing family called KEYBASE.\r\nSHA256 HASH: e431bc1bacde51fd39a10f418c26487561fe7c3abee15395314d9d4e621cc38e\r\nhttps://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/\r\nPage 1 of 5\n\nImage 1: This Excel document implements a fileless UAC bypass using eventvwr.exe\r\nKEYBASE is a primarily a keylogger with some other additional capabilities that are commonly found in other non-sophisticated Trojans such as password stealing, clipboard copying, etc.\r\nTo understand how this sample behaves and have a look at its capabilities we can use a popular free online resource\r\nlike \"Hybrid Analysis\" (https://www.hybrid-analysis.com/) from Payload Security.\r\nLooking at the process list details we can observe what specific processes were spawned when opening the Excel file,\r\nalong with command line arguments:\r\nImage 2: Dynamic analysis shows the execution of eventvwr.exe and pu457.exe\r\nhttps://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/\r\nPage 2 of 5\n\nWhile the output is pretty self-explanatory, let's dive a bit deeper and explain what's going on there:\r\nThe embedded macro starts a hidden instance of PowerShell.exe (via cmd.exe) which downloads a file\r\n(mi.exe) from a remote server (ridart.ru), storing it in the %TEMP% folder as pu457.exe.\r\nA registry key is added under HKCU\\Software\\Classes\\mscfile\\shell\\open\\command pointing to the binary\r\ndownloaded (more on this on Enigma0x3's post).\r\nFinally, the PowerShell command invokes EventViewer.exe, which will successfully query/open\r\nHKCU\\Software\\Classes\\mscfile\\shell\\open\\command and execute the malicious file that the registry key\r\npoints to.\r\nIn case you are wondering, PING -n 15 127.0.0.1 , as expected, does nothing else but sending 15 ICMP echo\r\nrequests packets to the iPv4 localhost address, which is just an alternative way to implement the \"sleep\"\r\ncommand, in an attempt to evade sandbox detection.\r\nThe sequence of events described above will ultimately result in code execution in a high integrity process,\r\neffectively bypassing UAC!\r\nAs expected, there is an HTTP connection to ridart.ru to download an additional binary (mi.exe):\r\nImage 3: Powershell initiates an HTTP GET request to ridart.ru to download mi.exe\r\nThe static analysis performed on pu457.exe helps us to confirm the capabilities of this Portable Executable:\r\nAbility to retrieve keyboard strokes\r\nContains ability to query volume size\r\nhttps://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/\r\nPage 3 of 5\n\nContains ability to open the clipboard\r\nFinally, using these IOCs found during our investigation, we can leverage Virustotal (https://www.virustotal.com) to\r\ncheck the reputation of this site and pivot to associated URLs, domains, other related samples. If you check the IP's\r\non the network traffic on Hybrid Analysis, you can extract more malicious information related:\r\nImage 4: Associated artifacts for 144.76.106.114 (ridart.ru)\r\nAs the Enigma0x3 team reminds us in their post, this method to bypass UAC is expected to work on all versions of\r\nWindows that implement UAC, including Windows 10, but can be prevented by removing the current user from the\r\nLocal Administrators group, which is something that you should do anyways!\r\nFrom a monitoring perspective, it's recommended to monitor and alert on any new registry entries in\r\nHKCU\\Software\\Classes, something that can be easily implemented with the latest version of Microsoft's Sysmon,\r\nv5 (https://technet.microsoft.com/en-us/sysinternals/sysmon).\r\nhttps://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/\r\nPage 4 of 5\n\nFurther references:\r\nFull report in Hybrid Analysis:\r\nhttps://www.hybrid-analysis.com/sample/e431bc1bacde51fd39a10f418c26487561fe7c3abee15395314d9d4e621cc38e?\r\nenvironmentId=100\r\npu457.exe on Virustotal:\r\nhttps://www.virustotal.com/es/file/a3a8959b5505029b773fb2ad1c2dc7adf657b17199d5e77b6cc796327d4a1561/analysis/\r\nInformation on Keybase:\r\nhttps://securingtomorrow.mcafee.com/mcafee-labs/malicious-forums-turn-amateur-hackers-into-cybercriminals/\r\nIsmael Valenzuela, GSE #132 (@aboutsecurity)\r\nSANS Instructor \u0026 Global Director, Foundstone Services at Intel Security\r\nMarc Rivero @seifreed\r\nHead of Research, Payload Security\r\nSource: https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/\r\nhttps://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/"
	],
	"report_names": [
		"22011"
	],
	"threat_actors": [],
	"ts_created_at": 1775434057,
	"ts_updated_at": 1775791271,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/96f5e035f42a35f79e18ff5c0a818ba600a13a7b.pdf",
		"text": "https://archive.orkl.eu/96f5e035f42a35f79e18ff5c0a818ba600a13a7b.txt",
		"img": "https://archive.orkl.eu/96f5e035f42a35f79e18ff5c0a818ba600a13a7b.jpg"
	}
}