Computer with Malware
Home Malware ‘Review my CV’ Macro Malware Email

‘Review my CV’ Macro Malware Email

by Brett M. Christensen

In recent years, criminals have repeatedly used fake resume or CV emails as a means of distributing malware. Some earlier versions included the malware in attached .zip files that harboured malicious executable files. 

This version takes a different approach. The email asks you to review the sender’s CV, which is supposedly contained in an attached Microsoft Word document simply titled ‘Resume.doc’. Given that employers may regularly receive CVs and resumes in Word format, at least a few recipients may go ahead and open the attachment. After all, they may create, open, save, and send ‘.doc’ files every day and may, therefore, consider them safe.

But, this Word document includes a malicious macro. When you attempt to open the seemingly innocuous Word document, you will receive a message claiming that the document is ‘protected’ and you must, therefore, enable macros before the content can be correctly displayed. If you enable macros as instructed,  the malicious macro can then run and proceed to download and install other types of malware.

A macro is a group of commands and instructions that can be collected as a single command in order to quickly and automatically accomplish a task. Microsoft Office programs and other types of software allow you to build your own macros to create more efficient workflows.

However, macros can also be used maliciously. In the past, macro virus threats were common. Thankfully, later versions of Microsoft Office disabled macros by default thereby lessening the threat posed by macro viruses. But, online criminals are again using macros to trick people into installing malware. Unless you have a specific need to use macros and are aware of the potential risks, you would be wise to leave macros disabled. 
However, malicious macros are again being used to spread malware.

In modern incarnations of the threat, criminals do not try to subvert in-built security systems but use simple social engineering techniques to get users to allow the macros to run. The criminals rely on the curiosity of recipients who may proceed without due caution in the hope of finally viewing the promised document content.

Therefore, unless you have a good reason to use them and have a sound knowledge of the potential risks they pose, it is safest to leave them disabled by default. Be wary of any message that claims that you must enable macros to view or interact with Microsoft Office documents. It should never be necessary to enable macros in order to view a simple document such as a CV.


Subject: Quick Question


I was visting your website on 1/28/2016 and I’m very interested.
I’m currently looking for work either full time or as a intern to get experience in the field.
Please review my CV and let me know what you think.

Thank you for your recommendation,

[Name removed]

Attached file: ‘Resume.doc

Importance Notice

After considerable thought and with an ache in my heart, I have decided that the time has come to close down the Hoax-Slayer website.

These days, the site does not generate enough revenue to cover expenses, and I do not have the financial resources to sustain it going forward.

Moreover, I now work long hours in a full-time and physically taxing job, so maintaining and managing the website and publishing new material has become difficult for me.

And finally, after 18 years of writing about scams and hoaxes, I feel that it is time for me to take my fingers off the keyboard and focus on other projects and pastimes.

When I first started Hoax-Slayer, I never dreamed that I would still be working on the project all these years later or that it would become such an important part of my life. It's been a fantastic and engaging experience and one that I will always treasure.

I hope that my work over the years has helped to make the Internet a little safer and thwarted the activities of at least a few scammers and malicious pranksters.

A Big Thank You

I would also like to thank all of those wonderful people who have supported the project by sharing information from the site, contributing examples of scams and hoaxes, offering suggestions, donating funds, or helping behind the scenes.

I would especially like to thank David White for his tireless contribution to the Hoax-Slayer Facebook Page over many years. David's support has been invaluable, and I can not thank him enough.

Closing Date

Hoax-Slayer will still be around for a few weeks while I wind things down. The site will go offline on May 31, 2021. While I will not be publishing any new posts, you can still access existing material on the site until the date of closure.

Thank you, one and all!

Brett Christensen,