skip to Main Content
Featured Image

Trojan Dropper: O97M/Vawtrak (Stage 1)

McAfee Labs recently found a malicious Office 97 document with VBA macros that contains an executable (Fareit aka Pony) stored in properties of a UserForm. UserForms are used by the criminals to keep the main macro clean. The key ingredients (e.g. malicious contents like URLs, malicious scripts, keywords, etc.) are stored in UserForms to avoid detection. So it’s not enough to analyze only the streams with VBA macro code.

Fareit aka Pony is dropped into the %temp% directory. The second-stage executable will download the third-stage malware Vawtrak after it has stolen all the credentials it could find. The embedded executable was not detected by my set of YARA rules so I took a closer look at this variant.

MD Word documentFig. 1: Contents of malicious W97M document

The Word document appears to have an RSA-encrypted message embedded in its contents. The criminals want you to click “Enable Content” to view the decrypted contents of the document. This is a standard social engineering trick to get the victim to enable the malicious macro, which drops the embedded executable and executes it.

File size:
File name:

File Type:
MIME Type:

504K ( 513536 bytes )
The file being studied follows the Compound Document File format!
More specifically, it is a MS Word Document file.
80.0% (.DOC) Microsoft Word document (32000/1/3)
20.0% (.) Generic OLE2 / Multistream Compound File (8000/1)

VirusTotal: 38/57 Report

Metadefender: 3/43 Report

Download: (password is infected)

Fig. 2: The name of stream 8 ends with /o, that indicates that the stream contains an UserForm

ASCII Hex encoded executableFig. 3: Stream 8 contains an embedded ASCII Hex encoded executable

UserFormFig. 4: ASCII Hex encoded PE file inside VBA Form

YARA ruleFig. 5: Detect ASCII Hex encoded PE file inside VBA Form

pe-car.pyFig. 6: Extract the ASCII Hex encoded PE file w/

010 Editor v7Fig. 7: Carved Executable (opened w/ 010 Editor v7)

Document-Inspector1Fig. 8: Fingerprinting

Document Inspector 2Fig. 9: Analyzing w/ Document-Inspector

Document-Inspector 3Fig. 10: Detecting, extracting and analyzing of embedded ASCII Hex encoded PE file

Document Inspector 4Fig. 11: Checking public sandboxes & Network Analysis

McAfee Labs – W97M Downloader Serves Vawtrak Malware – contains_ascii_hex_encoded_pe_file.yara – ASCII Hex and Overlays
VirusTotal – Carved Executable (Fareit aka Pony)

Back To Top