Share This with your friends and contacts. Help THEM to stay safe:

Updated October 2017 with new  information

Update 19 October 2017: we are now seeing malware using a DDE “exploit or “feature” in Microsoft office  files. This attack method is explained here. It is trivially simple to protect yourself from these “exploits” by turning off linked files update in Word  settings

Update 27 September 2016: Today we started to see the use of a “new” technique with malicious office files. These files still contain macros. The Dridex gang have started to send passworded office files via email. The email body contains the password for the attached document, which is different in every example. The document is passworded to prevent it being opened or read without the password.This has a 2 fold advantage to the bad guys. 1. it bypasses most company filters who routinely scan for macros in documents, but wouldn’t normally scan for a password, which is routinely used by many companies sending word docs or Excel spreadsheets via email or inter-office communication to prevent “secret or private” information falling into the wrong hands. 2. it stops online analysers and antiviruses from looking at the content and analysing them.

Update 6 September 2016: we started to see Microsoft publisher files with macros used to spread malware today. See HERE and Here for details and my thoughts. Unfortunately it appears that Microsoft took their eye off the ball with Publisher ( at least in 2007 / 2010 / 2013 versions. I don’t have access to 2016 or 365 to check ) and haven’t added the same protections against macros or embedded OLE objects that other commonly used Office programs have, that are described below.

One of the very popular methods of spreading malware and infecting you are emails with malformed or infected word docs and excel spreadsheets containing embedded malicious macros. Or Embedded OLE Objects.  Macros and OLE objects can be used for good things and are designed to be used to speed up common tasks in a busy office environment. You only have to look through this blog to see hundreds of examples of emails with attachments using these malicious macros

The bad actors spreading these use emails with enticing or scary subjects that will scare or entice a user to read the email and open the attachment. Common subjects include court summonses, unpaid invoices, telephone, internet, gas, water or electricity bills.  Modern versions of Microsoft Office, that is Office 2010, 2013, 2016 and Office 365 have Macros disabled by default, UNLESS you or your company have enabled them.  Opening these malicious word documents or Excel spreadsheets will infect you if Macros are enabled and simply previewing them in  windows explorer or your email client might well be enough to infect you.

The basic rule is NEVER open any attachment to an email, unless you are expecting it. Now that is very easy to say but quite hard to put into practice, because we all get emails with files attached to them. Our friends and family  love to send us pictures of them doing silly things, or even cute pictures of the children or pets. Many of us routinely get Word, Excel or PowerPoint attachments in the course of work or from companies that we already have a relationship with. That is why this sort of campaign has such a high probability of somebody opening the attachment and getting infected.

Almost all of these currently spread  Dridex  banking Trojans that will steal your money. Different versions of the Dridex malware target specific countries and banks in those countries, but with international banking becoming more common, we are seeing UK specific versions also including many US and European banks as well as the UK based banks. As from Mid February 2016 this distribution method has been delivering a very nasty Locky Ransomware

All modern versions of Microsoft Word, Excel and other Microsoft Office programs, that is 2010, 2013, 2016 and 365, should  open word docs, excel files and PowerPoint etc  that are downloaded from the web or received in an email  automatically in “protected view” that stops any embedded malware or macros from being displayed and running. Make sure protected view is set in all office programs to protect you, your family and your company from these sorts of attacks

Definitely DO NOT follow the advice the bad guys give to enable editing or macros to see the content.

When you  preview or open the malicious word document, you either get a blank page or  get this or similar wording and images shown. Provided you are using Word 2010, 2013, 2016 or 365 AND you have “protected view enabled and do not enable macros, then you are safe from the current attacks. However we always see other malicious documents that use unknown exploits in word or other office programs that will be capable of infecting you when such a document has been opened.

Each week we see new messages in these word docs giving plausible reasons why you need to enable editing and macros to see the content. Do not believe any of them and do not enable macros or editing

To check your macro security settings, click the Microsoft Office Button, click Microsoft Word Options, click Trust Center, and then click Trust Center Settings.

If macro security is set to Disable all macros without notification, all macros are automatically disabled. Use the following procedure to enable the macro.

In the Trust Center dialog box, click Macro Settings, and then click Disable all macros with notification.

Click OK in the Trust Center dialog box to apply the new setting.

Click OK to close the program options dialog box.

Close the file and the Microsoft Word. Open the file again. A Security Alert appears in the Document Information Bar just below the ribbon. Click Enable Content to allow the macro to run.



Do not open word docs received in an email without scanning them with your antivirus first, but be aware that it often takes several hours for an antivirus to update to detect malware. Also watch out for dodgy word docs containing exploits that WILL infect you with no action from you if you are still  using an out dated or vulnerable version of word. This is a good reason to update your office programs to a recent version and stop using office XP, 2000, 2003 and 2007. The risks in using older version definitely outweigh the convenience, benefits and cost of keeping an old version going. I see so many people and small businesses still using Office XP, 2000 and 2003 which is a very serious risk. These are so out of date and do not have any security updates to protect you or others from you.

I have done a couple of tests with these malicious docs using office online . As far as I can see using Office Online is perfectly safe with these malicious word or Excel docs with embedded macros. As soon as you upload one of these malicious docs containing a Macro, word online converts it to the new xml format which does not support macro use. With no macro there is no risk of the Dridex malware being downloaded and run on your computer.

How to protect yourself from these exploits in Office programs.

To ensure safety and stop any of these malicious Word or Excel documents from using the embedded malicious macros and reduce the risk from other unknown exploits, you need to set word, Excel and PowerPoint like this. Once you set in any office program, for example Word, the settings will apply to all Office programs.

The below screen shots were taken using Office 2013 but all current versions are very similar

Open Word. Select File, then Options, then Trust Centre. Next press Trust Centre Settings and you see the below list of settings and options to change. All these should be the default and will protect you against the currently spreading macro malware. Some users will have set Office to higher settings than these default ones, by turning off the message bar completely and blocking all macros  and ActiveX with no notifications:

Word active X controls Word Macros
This setting, that was introduced in Office 2010  is probably the most important one to make sure that you have protected view enabled and all 3 boxes selected. That prevents any Office document that is downloaded from the internet, received by email or copied to your computer or opened on a thumb drive from running any active content without your approval. You can read the email and any attachment ( word doc or Excel spreadsheet) safely, just cannot edit it or see or use embedded content like videos or macros. When you are 100% sure that the file is safe and you need to edit it, then you can press the edit or enable button that appears on the yellow warning bar.Word protected view Word message bar


There is one additional section that I strongly advise you to set as shown in this shot. This is to disable the automatic opening of RTF files which are currently being used in various malware campaigns by using various known and unknown exploits.  We also suggest blocking the exploitable content in older word docs. This allows you to view & read RTF files but not edit them or run any active or embedded content

word file block settings

Next to turn off the DDE exploit using linked files

Open Word. Select File, then Options, then Advanced, scroll down to General and uncheck “Update Automatic links at Open” Note: this will prevent a legitimate use that some companies will have to automatically update word docs from either Excel or Access databases

turn off dde

Because of these vulnerabilities and difficulties in preventing macro malware attacks in any version of office before Office 2010 I strongly urge you to update your office software to the latest version and stop putting yourself and others at risk, by using old out of date software

This very informative post gives some excellent advice about using group policy in an enterprise environment to assist with this problem

We are also regularly see campaigns involving a genuine word doc attached which is malformed and contains an embedded OLE  virus/Trojan . This is using the CVE-2012-0158 exploit which was fixed in MS12-027 and possibly a similar  exploit from 2013/14  If protected view mode is turned off and RTF is allowed then opening this malicious word document will infect you, and simply previewing it in  windows explorer or your email client might well be enough to infect you. Almost all of these malicious word documents appear to be blank when opened in protected view mode, which should be the default in Office 2010, 2013, 2016 and 365.

Update: see THIS Microsoft post for methods to block the use of embedded ole objects in office docs

In February 2016 we are currently seeing  several malspam attacks using  CVE-2014-1761 exploit in unpatched versions of office and it doesn’t matter if you have macros turned off or not. If you are not patched, then you WILL be infected by this

You need to set word to disallow RTF files being opened or previewed in Word  and prevent the preview of RTF files in Outlook to protect yourself from this one

In May 2016, we are seeing a lot more embedded OLE objects rather than the more traditional macro. These invite you to double click an image in the Word doc. Many of these images are deliberately blurred, so you see wording saying something like ” double click this image to see full content” or “double click on the file to view properly”. This will automatically run an embedded JavaScript file which connects to a remote site to download whatever malware the bad guys have decide to push. A lot of these are Dridex banking Trojan or various ransomwares. Sometimes the embedded OLE object is the full malware itself. Any  content can be embedded into WORD and other Microsoft Office programs using OLE objects. This includes Java, Flash, PDF, JavaScript ( .JS and .JSE ) and .exe. All of which can contain exploits or direct malware. Protected mode is designed to stop the embedded objects from running, without warning the user. Do not turn off Protected Mode or over ride or Ignore the warning.  

You must learn and educate others to look at the attachment and if the protected mode bar appears when opening or previewing the document DO NOT enable editing mode the document might look blank or have distorted or blurred images, but will be safe. One of the  ways of identifying a malicious document that you have received in an email is that it will not preview in the preview pane in outlook or when saved to your downloads folder and appears blank or will have content similar to the images shown in the slideshow above

Share This with your friends and contacts. Help THEM to stay safe:


Protect yourself from Word and other Microsoft Office Docs with embedded macro viruses or other dangerous content — 34 Comments

  1. Hello, thank you for this post. I’m infected with exactly this virus. Since the infection I cant open any new downloaded (via outlook or web) ms office files. They all not open with the message they are defekt. But they are not defekt because I can doload them on other computers and open them there without any problems. It would be great if someone knows a solution to get rid of this virus. I close to setting up the pc completely new, but still fear the work. Cheers Franco

  2. Pingback:Embedded documents in PDF files that can easily infect you – My Online Security

  3. Pingback:Fake Brightpay payslip notification attempts to deliver Trickbot

  4. Pingback:Fake Scanned from a Xerox Multifunction Printer delivers Trickbot | My Online Security

  5. Pingback:Fake HMRC “Submission 5DW8 F36N MG2A 9HJ not processed ” delivers trickbot | My Online Security

  6. Pingback:Trickbot delivered via Fake HSBC Payment Advice using activeX controls in word macros | My Online Security

  7. Pingback:Fake Danske Bank “FW: Insurance Documents” delivers Trickbot | My Online Security

  8. Pingback:Fake Royal Bank of Scotland you owe service charges of £42,243.52 tries to deliver trickbot | My Online Security

  9. Pingback:Fake Companies House WebFiling Authentication Code delivers Trickbot | My Online Security

  10. Pingback:Yet another fake Deloitte email “RE: Company records ” delivers Trickbot | My Online Security

  11. Pingback:Fake Intuit “Unpaid Invoice ” delivers Trickbot | My Online Security

  12. Pingback:trickbot still being delivered by fake payroll emails | My Online Security

  13. Pingback:trickbot delivered by Internal only email with macro excel attachments | My Online Security

  14. Pingback:Trickbot via Fake HSBC “Incoming high value CHAPS payments” emails | My Online Security

  15. Pingback:trickbot via “New fax message” malspam | My Online Security

  16. Pingback:Trickbot campaigns 22 October 2018 hitting UK and Canada | My Online Security

  17. Pingback:trickbot via fake Ernst & Young overdue invoice | My Online Security

  18. Pingback:Fake HSBC “FW: Account Review” delivers Trickbot | My Online Security

  19. Pingback:Fake Lloyds Bank FW: Confidential documents delivers Trickbot via complicated download mechanism | My Online Security

  20. Pingback:trickbot via fake Lloyds Bank “Important : please review attached document(s) ” | My Online Security

  21. Pingback:Trickbot via fake Bank of America Merrill Lync “FW: Updated Account Transactions ” | My Online Security

  22. Pingback:trickbot via Fake NatWest BankLine Support “FW: Recent Activity ” | My Online Security

  23. Pingback:trickbot via fake HSBC Payment Advice | My Online Security

  24. Pingback:Trickbot with multiple changes via fake Chase JP Morgan incoming confirmation | My Online Security

  25. Pingback:Fake TD Bank Company ACH file failure delivers Trickbot | My Online Security

  26. Pingback:trickbot via fake Scotia Bank Incoming Wire Name and Account Mismatch | My Online Security

  27. Pingback:trickbot via Fake Deloitte Canada Tax Billing | My Online Security

  28. Pingback:Fake Royal Bank of Canada RE: Instructions de transfert delivers Trickbot | My Online Security

  29. Pingback:Fake Dun & Bradstreet Company Complaint delivers Trickbot | My Online Security

  30. Pingback:Fake Paychex Tax verification documents delivers Trickbot | My Online Security

  31. Pingback:DO-NOT-REPLY Datasharp UK Ltd – Monthly Invoice & Report – Word doc malware - Area-6 - Security and Code Snippets ༼ຈل͜ຈ༽

Leave a Reply

Your email address will not be published. Required fields are marked *