Malware goes undetected by hiding malicious code in uncommon MS Access format

0/64 detections on VirusTotal
as of 05.08.2024

The VMRay Labs team has uncovered a malware that goes completely undetected for weeks by hiding malicious p-code in MS Access' uncommon ACCDE format.

The VMRay Labs team has uncovered a malware that goes completely undetected for weeks by hiding malicious p-code in MS Access’ uncommon ACCDE format.

Microsoft Access allows users to export their databases to a “protected” format (ACCDE), promising to keep macros hidden and unmodifiable. This sample abuses that feature to hide its malicious backdoor: a compiled VBA macro designed to drop and execute a malicious PE file stored in the database.

No detections on VirusTotal

0 of 63

In a nutshell:

 

The ACCDE format is rarely abused by attackers: not a single ACCDE file uploaded to VirusTotal in the last 90 days has a malicious verdict.

 

VBA macros were compiled to p-code and execodes, complicating static analysis, but dynamic analysis still reveals malicious behavior

 

Dropped PE file (“MW-Black-Shell”, only 5/75 on VirusTotal) connects to C2 and keeps waiting for commands to execute

 

The PE file is not stored in the macros but in a table in the database

 

Schedules itself to be executed at specific times (e.g., daily at 9:30)

 

 

Sample SHA256: 615727e8ed031ca82ae1799893d7b42831f3ed86a1dbc5b4f654d2b5646808b5

Dive deeper into the report

See why we think this is malicious in plain language.

See the whole path of the sample’s execution

Map the malicious activities on the MITRE ATT&CK Framework

Explore detailed information on the IP addresses, URLs and DNS, including function logs and PCAP Streams

Download the IOCs and artifacts to have a clear picture of the threat.

Download the files that the malware downloads, drops or modifies.

Explore how you can use these insights

Days
Hours
Minutes
Seconds

Ready to stress-test your malware sandbox? Join us for a no-fluff, all-demo webinar that shows you real techniques to evaluate and optimize your sandboxing solution!