Macros – they are normally delivered as attachments in the form of a Microsoft Word document. Macros can either make your life easier by automating those repetitive stuff or destroy all of your work in seconds. It is exploited by attackers to infect systems and make demands against the victim.
If your Microsoft Office is not set to disable Macros from running then you are at risk of infecting your system.
Why? Because the moment you open the malicious document, the Macros are set to run automatically.
It is a good practice to disable Macros from automatically executing whenever a document is opened.
Microsoft has an article on how to disable Macros for different versions of Office.
If you have the default settings, Microsoft Word will warn you that you need to click the “Enable Editing” prompt in order to run the Macros.
Aside from running Macros, there are Word documents with embedded objects. The objects are often disguised as a PDF or Excel document. But in fact, it is a shortcut to Command Prompt where after you clicked it, it will launch a shortcut with a PowerShell script to download and run an infected file from a certain website.
Avoid opening attachments from suspicious senders. Be cautious on random emails about arriving packages. If you are expecting one, they will not contain a Word document with blocked Macros. Double check the sender and the links inside the email.
Surprisingly enough, attackers are including a guide about enabling Macros and how to open their attachments. They added steps to click the “Enable Editing” button or else you will not be able to view the document correctly. Not only this, they added a password to open the document! How silly right? To think that adding a password will basically prevent the user from opening the document and running the malicious code.
Of course, they included the password in the body of their email. Trying to lead victims to think that this was a legitimate document because it is protected by a password.
Remember, it doesn’t matter if that attachment is password protected. If you feel that it is sketchy and suspicious then it should never be opened. If you are unsure, contact your local IT provider to provide you with some guidance.
It is unlikely for systems behind a Web filtering service or with a good antivirus to get infected. I tried to run it on a controlled environment and our Web filtering service (Cisco Umbrella) had blocked it from attempting to visit a dangerous website and stopped it from running.
It pays to invest on even the simplest protection your money can afford. There are lots of free applications to protect your system, but the assurance of having a premium layer of protection will give you the peace of mind in case you or someone accidentally downloads and runs an infected attachment.
