Home Malware “New Secure Document” Macro Malware Email

“New Secure Document” Macro Malware Email

by Brett M. Christensen

“Confidential” email claims that you have received a new secure document and should open a Microsoft Word attachment to read it.  The message notes that, because the document is encrypted, you will need to  use the “enable editing” option to decode it.

Brief Analysis:
The Microsoft Word attachment does not contain any sort of confidential document and the email is fraudulent. When you attempt to open the attachment, you will be prompted to enable macros, ostensibly so that the document’s contents can be decrypted. If you do enable macros, a malicious macro can then install malware on your computer.

Subject: You have received a new secure document

You have received a new secure document.Please check attached document ( Microsoft Word Document ) for more information. The document has been encrypted and is currently protected. In order to unlock the document content please decode the document using “Enable Editing”.New Secure Document Macro Malware

Detailed Analysis:
According to this email, which is labelled “confidential”, you have received a new secure document. The email urges you to open a Microsoft Word attachment to read the document, which is named “confidential.doc”. The message claims that, since the document has been encrypted, you will need to decode it using the “enable editing” option.  The email is professionally presented, and at least at first glance, may appear to be a legitimate document notification.

However, the email is not a legitimate notification and the attachment does not contain any sort of confidential document. When you attempt to open the attachment, you will be prompted to click an “enable macros” button, ostensibly so that the document’s contents can be decrypted.

But, instead of decoding a document as claimed, the macro will instead connect to a remote server and download and install malware.  The exact nature of this malware may vary. The malicious macro tactic is often used to infect computers with ransomware. Once installed, ransomware can lock the files on your computer and then demand that you pay a fee to online criminals to obtain a decryption key.  In other cases, the malware that the macro installs may be designed to steal sensitive information such as banking login credentials from the infected computer.

Unless you have had a need to use them, you may not be familiar with macros and what they can do. So, here’s a quick breakdown. A macro is a set of commands and instructions that can be collected as a single command in order to quickly and automatically accomplish a task. For example, you might record a macro that is designed to add pre-formatted text, tables, data, and other elements to your documents at just the click of a button.

Quite complex macros can be created and such macros can be very helpful in some workflows.

But malicious macros can also be created and distributed. In the past, macro viruses were common computer security threats. But, in later years, they became a less significant threat due to the fact that later versions of Microsoft Office disabled macros by default and implemented other security measures.

However, criminals have apparently realised that many computer users will have forgotten about or have no knowledge of macro threats. Thus, malicious macros are again being used to spread malware.  An article about the resurgence on Virus Bulletin notes:

In the past five years, macro malware could be considered practically extinct – thanks mostly to the security improvements introduced into Microsoft Office products. However, in recent months, a resurgence of malicious VBA macros has been observed – this time, not self-replicating viruses, but simple downloader trojan codes.

In modern incarnations of the threat, criminals do not try to subvert inbuilt security systems but use simple social engineering techniques to get users to allow the macros to run. The criminals know that at least some recipients may proceed without due caution in the hope of finally viewing the promised document content.

Unless you have a good working knowledge of macros and the possible security risks that they pose, you are best to leave macros disabled by default. And do not believe any message that claims that you must enable macros to view or interact with ordinary Microsoft Office documents.

Last updated: November 19, 2016
First published: November 19, 2016
By Brett M. Christensen
About Hoax-Slayer

Macro Virus Threat Returns – Beware Emails With Malicious Word Attachments
Loads Of Macro Malware ‘Invoice’ Emails Hitting Inboxes
Remember macro viruses? Infected Word and Excel files? They’re back…
VBA is not dead!

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,