Incident Response, TDR

Phishing email contains Word doc, enabling macros leads to malware infection

After an employee with PhishMe was targeted by a phishing email, researchers with the company had the opportunity to analyze a sneaky attack that begins with enabling macros in a Microsoft Word document and ends with a malware infection.

The body of the phishing email appears as legitimate internal communications and comes attached with a Microsoft Word document named ‘Financial Statement.doc,' as seen in a screenshot of the email that was included in a Monday post.

Upon downloading and opening the Word file, the content appears blurred and a message – which states that the blur has been set for security and safety reasons – asks the recipient to enable macros in order to properly view the document.

This is where the social engineering takes place, Ronnie Tokazowski, senior researcher at PhishMe, told in a Wednesday email correspondence.

“Macros have to be enabled for the attack to run because part of the exploit code is in the macro,” Tokazowski said. “By default, MS Word disables macros, but automatically prompts the user to enable them upon opening the document.”

According to the post, enabling macros will result in a batch script being executed via cmd.exe, which then executes Visual Basic script, which next triggers a PowerShell script – finally leading to the malware being downloaded.

“The greatest benefit to this technique is that it makes it easier to evade detection,” Tokazowski said. “Anti-virus will sometimes detect this, but it won't pick up on malicious code within a MS Word macro as often as it will detect a simple malicious attachment.”

Tokazowski said he is not a hundred percent sure what malware is being delivered, but he said it looked like a generic banking trojan that is capable of keylogging and copying clipboard contents. He added that the goal of the attack seems to be to gain further access to the network.

“What was unique about this attack was how the Macro, VBS, and PowerShell all interacted,” Tokazowski said. “We haven't been targeted with this type of attack before, although others have blogged about it. In addition to being able to evade anti-virus, the exploit code was very efficient when it ran.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.