# The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc. **[mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/)** [McAfee Labs](https://www.mcafee.com/blogs/author/mcafee-labs/) Nov 10, 2021 4 MIN READ Authored By Kiran Raj November 10, 2021 Due to their widespread use, Office Documents are commonly used by Malicious actors as a way to distribute their malware. McAfee Labs have observed a new threat “Squirrelwaffle” which is one such emerging malware that was observed using office documents in mid-September that infects systems with CobaltStrike. In this Blog, we will have a quick look at the SquirrelWaffle malicious doc and understand the Initial infection vector. Geolocation based stats of Squirrelwaffle malicious doc observed by McAfee from September 2021 ----- Figure1- Geo-based stats of SquirrelWaffle Malicious Doc ## Infection Chain 1. The initial attack vector is a phishing email with a malicious link hosting malicious docs 2. On clicking the URL, a ZIP archived malicious doc is downloaded 3. The malicious doc is weaponized with AutoOpen VBA function. Upon opening the malicious doc, it drops a VBS file containing obfuscated powershell 4. The dropped VBS script is invoked via exe to download malicious DLLs 5. Thedownloaded DLLs are executed via exe with an argument of export function “ldr” ----- Figure 2: Infection Chain ## Malicious Doc Analysis Here is how the face of the document looks when we open the document (figure 3). Normally, the macros are disabled to run by default by Microsoft Office. The malware authors are aware of this and hence present a lure image to trick the victims guiding them into enabling the macros. Figure-3: Image of Word Document Face ## UserForms and VBA The VBA Userform Label components present in the Word document (Figure-4) is used to store all the content required for the VBS file. In Figure-3, we can see the userform’s Labelbox “t2” has VBS code in its caption. Sub routine “eFile()” retrieves the LabelBox captions and writes it to a C:\Programdata\Pin.vbs and executes it using cscript.exe Cmd line: cmd /c cscript.exe C:\Programdata\Pin.vbs ----- Figure-4: Image of Userforms and VBA ## VBS Script Analysis The dropped VBS Script is obfuscated (Figure-5) and contains 5 URLs that host payloads. The script runs in a loop to download payloads using powershell and writes to C:\Programdata location in the format /www-[1-5].dll/. Once the payloads are downloaded, it is executed using rundll32.exe with export function name as parameter “ldr” Figure-5: Obfuscated VBS script **_De-obfuscated VBS script_** VBS script after de-obfuscating (Figure-6) Figure-6: De obfuscated VBS script ## MITRE ATT&CK Different techniques & tactics are used by the malware and we mapped these with the MITRE ATT&CK platform. ----- _Command and Scripting Interpreter (T 1059)_ Malicious doc VBA drops and invokes VBS script. CMD: cscript.exe C:\ProgramData\pin.vbs _Signed Binary Proxy Execution (T1218)_ Rundll32.exe is used to execute the dropped payload CMD: rundll32.exe C:\ProgramData\www1.dll,ldr ## IOC **Type** **Value** **Scanner** **Detection Name** Main Word Document Downloaded DLL URLs to download DLL 195eba46828b9dfde47ffecdf61d9672db1a8bf13cd9ff03b71074db458b6cdf ENS, WSS 85d0b72fe822fd6c22827b4da1917d2c1f2d9faa838e003e78e533384ea80939 ENS, WSS - priyacareers.com - bussiness-z.ml - cablingpoint.com - bonus.corporatebusinessmachines.co.in - perfectdemos.com W97M/Downloader.dsl RDN/Squirrelwaffle WebAdvisor Blocked [McAfee Labs Threat Research Team](https://www.mcafee.com/blogs/author/mcafee-labs/) McAfee Labs is one of the leading sources for threat research, threat intelligence, and cybersecurity thought leadership. See our blog posts below for more information. ### More from McAfee Labs [Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-scammers-exploit-talk-on-cryptocurrency/%20) By Oliver Devane Update: In the past 24 hours (from time of publication) McAfee has identified 15... May 05, 2022 | 4 MIN READ [Instagram Credentials Stealer: Disguised as Mod App](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealer-disguised-as-mod-app/%20) Authored by Dexter Shin McAfee’s Mobile Research Team introduced a new Android malware targeting Instagram users who... May 03, 2022 | 4 MIN READ [Instagram Credentials Stealers: Free Followers or Free Likes](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealers-free-followers-or-free-likes/%20) Authored by Dexter Shin Instagram has become a platform with over a billion monthly active users. Many... May 03, 2022 | 6 MIN READ [Scammers are Exploiting Ukraine Donations](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/%20) Authored by Vallabh Chole and Oliver Devane Scammers are very quick at reacting to current events so ----- Apr 01, 2022 | 7 MIN READ [Imposter Netflix Chrome Extension Dupes 100k Users](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/imposter-netflix-chrome-extension-dupes-100k-users/%20) Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi McAfee has recently observed several malicious Chrome Extensions... Mar 10, 2022 | 8 MIN READ [Why Am I Getting All These Notifications on my Phone?](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/why-am-i-getting-all-these-notifications-on-my-phone/%20) Authored by Oliver Devane and Vallabh Chole Notifications on Chrome and Edge, both desktop browsers, are commonplace,... Feb 25, 2022 | 5 MIN READ [Emotet’s Uncommon Approach of Masking IP Addresses](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/emotets-uncommon-approach-of-masking-ip-addresses/%20) In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The Emotet maldoc was... Feb 04, 2022 | 4 MIN READ [HANCITOR DOC drops via CLIPBOARD](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via-clipboard/%20) Hancitor, a loader that provides Malware as a Service, has been observed distributing malware such as FickerStealer,... Dec 13, 2021 | 6 MIN READ ----- [‘Tis the Season for Scams](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tis-the-season-for-scams/%20) ‘Tis the Season for Scams Nov 29, 2021 | 18 MIN READ [Social Network Account Stealers Hidden in Android Gaming Hacking Tool](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/social-networks-account-stealer-hidden-in-android-gaming-hacking-tool/%20) Authored by: Wenfeng Yu McAfee Mobile Research team recently discovered a new piece of malware that specifically... Oct 19, 2021 | 6 MIN READ [Malicious PowerPoint Documents on the Rise](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-powerpoint-documents-on-the-rise/%20) Authored by Anuradha M McAfee Labs have observed a new phishing campaign that utilizes macro capabilities available... Sep 21, 2021 | 6 MIN READ [Android malware distributed in Mexico uses Covid-19 to steal financial credentials](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/android-malware-distributed-in-mexico-uses-covid-19-to-steal-financial-credentials/%20) Authored by Fernando Ruiz McAfee Mobile Malware Research Team has identified malware targeting Mexico. It poses as a security banking tool or... Sep 13, 2021 | 7 MIN READ -----