office_macro_virus

Updated May 2016 with new screenshots and information

One of the very popular methods of spreading malware and infecting you are emails with malformed or infected word docs and excel spreadsheets containing embedded malicious macros. Or Embedded OLE Objects.  Macros and OLE objects can be used for good things and are designed to be used to speed up common tasks in a busy office environment. You only have to look through this blog to see hundreds of examples of emails with attachments using these malicious macros

The bad actors spreading these use emails with enticing or scary subjects that will scare or entice a user to read the email and open the attachment. Common subjects include court summonses, unpaid invoices, telephone, internet, gas, water or electricity bills.  Modern versions of Microsoft Office, that is Office 2010, 2013, 2016 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them.  Opening these malicious word documents or Excel spreadsheets will infect you if Macros are enabled and simply previewing them in  windows explorer or your email client might well be enough to infect you.

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family  love to send us pictures of them doing silly things, or even cute pictures of the children or pets. Many of us routinely get Word, Excel or PowerPoint attachments in the course of work or from companies that we already have a relationship with. That is why this sort of campaign has such a high probability of somebody opening the attachment and getting infected.

Almost all of these currently spread  Dridex  banking Trojans that will steal your money. Different versions of the Dridex malware target specific countries and banks in those countries, but with international banking becoming more common, we are seeing UK specific versions also including many US and European banks as well as the UK based banks. As from Mid February 2016 this distribution method has been delivering a very nasty Locky Ransomware

All modern versions of Microsoft Word, Excel and other Microsoft Office programs, that is 2010, 2013, 2016 and 365, should  open word docs, excel files and PowerPoint etc  that are downloaded from the web or received in an email  automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you, your family and your company from these sorts of attacks

Definitely DO NOT follow the advice the bad guys give to enable editing or macros to see the content.

When you  preview or open the malicious word document, you either get a blank page or  get this or similar wording and images shown. Provided you are using Word 2010, 2013, 2016 or 365 AND you have “protected view enabled and do not enable macros, then you are safe from the current attacks. However we always see other malicious documents that use unknown exploits in word or other office programs that will be capable of infecting you when such a document has been opened.

Each week we see new messages in these word docs giving plausible reasons why you need to enable editing and macros to see the content. Do not believe any of them and do not enable macros or editing

To check your macro security settings, click the Microsoft Office Button, click Microsoft Word Options, click Trust Center, and then click Trust Center Settings.

If macro security is set to Disable all macros without notification, all macros are automatically disabled. Use the following procedure to enable the macro.

In the Trust Center dialog box, click Macro Settings, and then click Disable all macros with notification.

Click OK in the Trust Center dialog box to apply the new setting.

Click OK to close the program options dialog box.

Close the file and the Microsoft Word. Open the file again. A Security Alert appears in the Document Information Bar just below the ribbon. Click Enable Content to allow the macro to run.

 

 

Do not open word docs received in an email without scanning them with your antivirus first, but be aware that it often takes several hours for an antivirus to update to detect malware. Also watch out for dodgy word docs containing exploits that WILL infect you with no action from you if you are still  using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office XP, 2000, 2003 and 2007. The risks in using older version definitely outweigh the convenience, benefits and cost of keeping an old version going. I see so many people and small businesses still using Office XP, 2000 and 2003 which is a very serious risk. These are so out of date and do not have any security updates to protect you or others from you.

I have done a couple of tests with these malicious docs using office online . As far as I can see using Office Online is perfectly safe with these malicious word or Excel docs with embedded macros. As soon as you upload one of these malicious docs containing a Macro, word online converts it to the new xml format which does not support macro use. With no macro there is no risk of the Dridex malware being downloaded and run on your computer.

How to protect yourself from these exploits in Office programs.

To ensure safety and stop any of these malicious Word or Excel documents from using the embedded malicious macros and reduce the risk from other unknown exploits, you need to set word, Excel and PowerPoint like this. Once you set in any office program, for example Word, the settings will apply to all Office programs.

The below screen shots were taken using Office 2013 but all current versions are very similar

Open Word. Select File, then Options, then Trust Centre. Next press Trust Centre Settings and you see the below list of settings and options to change. All these should be the default and will protect you against the currently spreading macro malware. Some users will have set Office to higher settings than these default ones, by turning off the message bar completely and blocking all macros  and ActiveX with no notifications:

Word active X controls Word Macros
This setting, that was introduced in Office 2010  is probably the most important one to make sure that you have protected view enabled and all 3 boxes selected. That prevents any Office document that is downloaded from the internet, received by email or copied to your computer or opened on a thumb drive from running any active content without your approval. You can read the email and any attachment ( word doc or Excel spreadsheet) safely, just cannot edit it or see or use embedded content like videos or macros. When you are 100% sure that the file is safe and you need to edit it, then you can press the edit or enable button that appears on the yellow warning bar.Word protected view Word message bar

 

There is one additional section that I strongly advise you to set as shown in this shot. This is to disable the automatic opening of RTF files which are currently being used in various malware campaigns by using various known and unknown exploits.  We also suggest blocking the exploitable content in older word docs.

word file block settings

 

Because of these vulnerabilities and difficulties in preventing macro malware attacks in any version of office before Office 2010 I strongly urge you to update your office software to the latest version and stop putting yourself and others at risk, by using old out of date software

This very informative post gives some excellent advice about using group policy in an enterprise environment to assist with this problem

We are also regularly see campaigns involving a genuine word doc attached which is malformed and contains an embedded OLE  virus/Trojan . This is using the CVE-2012-0158 exploit which was fixed in MS12-027 and possibly a similar  exploit from 2013/14  If protected view mode is turned off and RTF is allowed then opening this malicious word document will infect you, and simply previewing it in  windows explorer or your email client might well be enough to infect you. Almost all of these malicious word documents appear to be blank when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365.

In February 2016 we are currently seeing  several malspam attacks using  CVE-2014-1761 exploit in unpatched versions of office and it doesn’t matter if you have macros turned off or not. If you are not patched, then you WILL be infected by this

You need to set word to disallow RTF files being opened or previewed in Word  and prevent the preview of RTF files in Outlook to protect yourself from this one

In May 2016, we are seeing a lot more embedded OLE objects rather than the more traditional macro. These invite you to double click an image in the Word doc. Many of these images are deliberately blurred, so you see wording saying something like ” double click this image to see full content” or “double click on the file to view properly”. This will automatically run an embedded JavaScript file which connects to a remote site to download whatever malware the bad guys have decide to push. A lot of these are Dridex banking Trojan or various ransomwares. Sometimes the embedded OLE object is the full malware itself. Any  content can be embedded into WORD and other Microsoft Office programs using OLE objects. This includes Java, Flash, PDF, JavaScript ( .JS and .JSE ) and .exe. All of which can contain exploits or direct malware. Protected mode is designed to stop the embedded objects from running, without warning the user. Do not turn off Protected Mode or over ride or Ignore the warning.  

You must learn and educate others to look at the attachment and if the protected mode bar appears when opening or previewing the document DO NOT enable editing mode the document might look blank or have distorted or blurred images, but will be safe. One of the  ways of identifying a malicious document that you have received in an email is that it will not preview in the preview pane in outlook or when saved to your downloads folder and appears blank or will have content similar to the images shown in the slideshow above

 



 

Leave a Reply

3 Comments on "Malformed or infected word docs or excel spreadsheets with embedded macro viruses"

Notify of
avatar
10000

Sort by:   newest | oldest | most voted
Mark
Guest
Mark
24 December 2014 5:56 pm 5:56 pm

Thank you dvk01 for confirming where to find the protected view facility. Found it now in Word 2013. All features enabled.
Mark C

Franco
Guest
Franco
4 November 2015 6:20 pm 6:20 pm

Hello, thank you for this post. I’m infected with exactly this virus. Since the infection I cant open any new downloaded (via outlook or web) ms office files. They all not open with the message they are defekt. But they are not defekt because I can doload them on other computers and open them there without any problems. It would be great if someone knows a solution to get rid of this virus. I close to setting up the pc completely new, but still fear the work. Cheers Franco

wpDiscuz