A week ago, SANS ISC handler and freelance security consultant Xavier Mertens analyzed a Word document containing malicious macros, and unearthed in it a VBA function that changes the document layout.
He admittedly didn’t know why this function was included, but another handler pointed out that the function is there to fool victims into believing that once they have enabled the macros, they will be able to read the text contained in the document.
“One popular social engineering trick to entice users to enable macros, is to make the user believe that the document contains secret or confidential information, and that the user needs to take action to reveal this information,” Didier Stevens explained.
“The Word document will contain a message that the content is hidden (or encoded, or encrypted, …) and that the user needs to enable the content (or the macros) to visualize it. This function will change the font color from white to black (thereby “revealing” the hidden information) and remove the header that instructs the user to enable the content.”
Effectively, this function will make less tech savvy users believe that nothing out of the ordinary happened, and that their action simply allowed them to read the document. What they won’t know or notice is that a malicious payload is downloaded and executed in the background, and their computer has been compromised.