“New Secure Document” Macro Malware Email

Outline:
“Confidential” email claims that you have received a new secure document and should open a Microsoft Word attachment to read it.  The message notes that, because the document is encrypted, you will need to  use the “enable editing” option to decode it.




Brief Analysis:
The Microsoft Word attachment does not contain any sort of confidential document and the email is fraudulent. When you attempt to open the attachment, you will be prompted to enable macros, ostensibly so that the document’s contents can be decrypted. If you do enable macros, a malicious macro can then install malware on your computer.

Example:
Subject: You have received a new secure document

You have received a new secure document.Please check attached document ( Microsoft Word Document ) for more information. The document has been encrypted and is currently protected. In order to unlock the document content please decode the document using “Enable Editing”.New Secure Document Macro Malware





Detailed Analysis:
According to this email, which is labelled “confidential”, you have received a new secure document. The email urges you to open a Microsoft Word attachment to read the document, which is named “confidential.doc”. The message claims that, since the document has been encrypted, you will need to decode it using the “enable editing” option.  The email is professionally presented, and at least at first glance, may appear to be a legitimate document notification.

However, the email is not a legitimate notification and the attachment does not contain any sort of confidential document. When you attempt to open the attachment, you will be prompted to click an “enable macros” button, ostensibly so that the document’s contents can be decrypted.

But, instead of decoding a document as claimed, the macro will instead connect to a remote server and download and install malware.  The exact nature of this malware may vary. The malicious macro tactic is often used to infect computers with ransomware. Once installed, ransomware can lock the files on your computer and then demand that you pay a fee to online criminals to obtain a decryption key.  In other cases, the malware that the macro installs may be designed to steal sensitive information such as banking login credentials from the infected computer.

Unless you have had a need to use them, you may not be familiar with macros and what they can do. So, here’s a quick breakdown. A macro is a set of commands and instructions that can be collected as a single command in order to quickly and automatically accomplish a task. For example, you might record a macro that is designed to add pre-formatted text, tables, data, and other elements to your documents at just the click of a button.

Quite complex macros can be created and such macros can be very helpful in some workflows.

But malicious macros can also be created and distributed. In the past, macro viruses were common computer security threats. But, in later years, they became a less significant threat due to the fact that later versions of Microsoft Office disabled macros by default and implemented other security measures.

However, criminals have apparently realised that many computer users will have forgotten about or have no knowledge of macro threats. Thus, malicious macros are again being used to spread malware.  An article about the resurgence on Virus Bulletin notes:

In the past five years, macro malware could be considered practically extinct – thanks mostly to the security improvements introduced into Microsoft Office products. However, in recent months, a resurgence of malicious VBA macros has been observed – this time, not self-replicating viruses, but simple downloader trojan codes.

In modern incarnations of the threat, criminals do not try to subvert inbuilt security systems but use simple social engineering techniques to get users to allow the macros to run. The criminals know that at least some recipients may proceed without due caution in the hope of finally viewing the promised document content.

Unless you have a good working knowledge of macros and the possible security risks that they pose, you are best to leave macros disabled by default. And do not believe any message that claims that you must enable macros to view or interact with ordinary Microsoft Office documents.



Last updated: November 19, 2016
First published: November 19, 2016
By Brett M. Christensen
About Hoax-Slayer

References
Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Loads Of Macro Malware ‘Invoice’ Emails Hitting Inboxes
Remember macro viruses? Infected Word and Excel files? They’re back…
VBA is not dead!