Results 1 to 13 of 13
  1. #1
    5 Star Lounger Vincenzo's Avatar
    Join Date
    Mar 2004
    Posts
    654
    Thanks
    96
    Thanked 14 Times in 13 Posts

    Malicious .doc attachment?

    A friend of mine clicked on a .doc attachment in a spam email because she had a moment of weakness in spite of all the precautions I've told her to take, and the email was cleverly worded.

    But when I asked her if there were any dialogs that appeared when she opened the .doc file, she said no. I thought that the main threat with the outdated .doc format is that they can contain macros, and the newer versions of Word would present a dialog asking if you want to run the macro.
    Since that did not happen, I am wondering now if there are other ways the .doc files can contain malware that will run with no user approval other than just opening the file.

    BTW when I submit the .doc file to Virustotal, it detects trojan dropper, macro dropper, and various other garbage.

    I am going to run a bunch of malware scanners on her system and see what comes up.

    Thanks
    Last edited by Vincenzo; 2016-10-27 at 16:33.

  2. #2
    Banned Member
    Join Date
    Oct 2016
    Posts
    64
    Thanks
    0
    Thanked 6 Times in 6 Posts
    Be carefull about The Watchdog Virus. It is very tricky. Hopefully its not that.

  3. The Following User Says Thank You to Weedhopper For This Useful Post:

    Vincenzo (2016-10-27)

  4. #3
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,756
    Thanks
    171
    Thanked 653 Times in 576 Posts
    This article published today summarizes how recent versions of Word handle macros:

    Microsoft Office malware: Now more users get anti-hacker, macro-blocking features

    It's difficult to comment specifically as you didn't tell us which version she's using.
    Last edited by BruceR; 2016-10-27 at 19:15.

  5. The Following User Says Thank You to BruceR For This Useful Post:

    Vincenzo (2016-10-28)

  6. #4
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    The Virustotal link would have been useful.

  7. The Following User Says Thank You to satrow For This Useful Post:

    Vincenzo (2016-10-28)

  8. #5
    5 Star Lounger Vincenzo's Avatar
    Join Date
    Mar 2004
    Posts
    654
    Thanks
    96
    Thanked 14 Times in 13 Posts
    I don't know the Office version, I think it is Office 2010. I am going to log in tomorrow so I'll check.


    Quote Originally Posted by satrow View Post
    The Virustotal link would have been useful.
    I submitted the file by email, so there was no link. But here are the results from the return email:

    Complete scanning result of "statement.com_51152.doc", processed in VirusTotal at 10/25/2016 22:10:43 (CET)

    [ file data ]
    * name..: statement.com_51152.doc
    * size..: 147456
    * md5...: 5d3a733a05ee7e016ce9bd1789dfb993
    * sha1..: f16ac0fd91217fc8930ae9df27629650c56336b7

    [ scan result ]
    ALYac 1.0.1.9/20161025 found nothing
    AVG 16.0.0.4664/20161025 found nothing
    AVware 1.5.0.42/20161025 found nothing
    Ad-Aware 3.0.3.794/20161025 found nothing
    AegisLab 4.2/20161025 found Macro.Dropper.Gen!c
    AhnLab-V3 3.8.1.15874/20161025 found nothing
    Antiy-AVL 1.0.0.1/20161025 found nothing
    Arcabit 1.0.0.779/20161025 found nothing
    Avast 8.0.1489.320/20161025 found nothing
    Avira 8.3.3.4/20161025 found HEUR/Macro.Dropper
    Baidu 1.0.0.2/20161025 found nothing
    BitDefender 7.2/20161025 found nothing
    Bkav 1.3.0.8455/20161025 found nothing
    CAT-QuickHeal 14.00/20161025 found nothing
    CMC 1.1.0.977/20161025 found nothing
    ClamAV 0.98.5.0/20161025 found nothing
    Comodo 26001/20161025 found nothing
    Cyren 5.4.16.7/20161025 found nothing
    DrWeb 7.0.23.8290/20161025 found nothing
    ESET-NOD32 14337/20161025 found nothing
    Emsisoft 3.5.0.658/20161025 found nothing
    F-Prot 4.7.1.166/20161025 found nothing
    F-Secure 11.0.19100.45/20161025 found Trojan:W97M/Nastjencro.A
    Fortinet 5.4.233.0/20161025 found nothing
    GData 25/20161025 found nothing
    Ikarus T3.2.1.16.0/20161025 found Win32.SuspectCrc
    Jiangmin 16.0.100/20161025 found nothing
    K7AntiVirus 9.244.21303/20161025 found nothing
    K7GW 9.244.21303/20161025 found nothing
    Kaspersky 15.0.1.13/20161025 found nothing
    Kingsoft 2013.8.14.323/20161025 found nothing
    Malwarebytes 2.1.1.1115/20161025 found nothing
    McAfee 6.0.6.653/20161025 found W97M/Dropper.cs
    McAfee-GW-Edition v2015/20161025 found W97M/Dropper.cs
    MicroWorld-eScan 12.0.250.0/20161025 found nothing
    Microsoft 1.1.13202.0/20161025 found nothing
    NANO-Antivirus 1.0.44.12357/20161025 found nothing
    Panda 4.6.4.2/20161025 found nothing
    Qihoo-360 1.0.0.1120/20161025 found virus.office.gen.80
    Rising 28.0.0.1/20161025 found nothing
    SUPERAntiSpyware 5.6.0.1032/20161025 found nothing
    Sophos 4.98.0/20161025 found nothing
    Symantec 20151.1.1.4/20161025 found Trojan.Mdropper
    Tencent 1.0.0.1/20161025 found Win32.Trojan.Inject.Auto
    TheHacker 6.8.0.5.1111/20161025 found nothing
    TotalDefense 37.1.62.1/20161025 found nothing
    TrendMicro 9.740.0.1012/20161025 found W2KM_DLOADR.YYSUJ
    TrendMicro-HouseCall 9.900.0.1004/20161025 found W2KM_DLOADR.YYSUJ
    VBA32 3.12.26.4/20161025 found nothing
    VIPRE 53298/20161025 found nothing
    ViRobot 2014.3.20.0/20161025 found nothing
    Yandex 5.5.1.3/20161025 found nothing
    Zillya 2.0.0.3097/20161025 found nothing
    Zoner 1.0/20161025 found nothing
    nProtect 2016-10-25.02/20161025 found nothing
    Last edited by Vincenzo; 2016-10-28 at 11:44.

  9. #6
    5 Star Lounger Vincenzo's Avatar
    Join Date
    Mar 2004
    Posts
    654
    Thanks
    96
    Thanked 14 Times in 13 Posts
    BTW in case you are curious, here is the (edited to clean it up) email they sent her:

    Subject: credit card charge from *.com

    What is this f*****g charge on my card?
    I never visited or bought anything from *.com.
    I have attached a screenshot of my statement.
    I want my money back!!!
    I have attached my card statement, please get back to me ASAP.

    Thank you

  10. #7
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts

  11. The Following User Says Thank You to satrow For This Useful Post:

    Vincenzo (2016-10-28)

  12. #8
    5 Star Lounger Vincenzo's Avatar
    Join Date
    Mar 2004
    Posts
    654
    Thanks
    96
    Thanked 14 Times in 13 Posts
    Thanks, Satrow.

    The signature that refers to a banking trojan is concerning, I've told my friend not to do any banking (or credit card purchases) until I can run a battery of malware scans. She is gone for the day, so I can't log in today.

    What does the Cuckoo item refer to? I've tried to get some info, seems like it is sandbox.

    Thanks for the help.

  13. #9
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    Just to be on the safe(r) side, I'd ask your friend to change all her passwords so that each one is unique, and check all online accounts for unauthorised access. From a known clean machine I'd also want to check the email address against a list of emails linked to breached sites (https://haveibeenpwned.com ?).

    Yes, Cuckoo is the sandbox technology they use to safely investigate what happens when malware is executed.

    What I find quite interesting about the VT results is how many of the so-called better software missed this detection. It does make you wonder if this was a very recent detection and the data was slow in propagating, or whether it was designed to dodge many of the bigger players.

    There are file types that can be created to trigger execution on download, the email client or browser might be automatically set to pass certain file types directly to the software registered for that type. Word/Office docs would be pretty high on an exploit kits list of targets, alongside Flash, Reader, Java, et al. Take a look at (Alt) Tools > Options > Applications in Firefox or similar and for Windows, Control Panel\All Control Panel Items\Default Programs\Set Associations for an idea of just how many possible exploits in use or waiting to be found for some of these - especially the one's you didn't know existed. In the browser/email client "Always ask" is a safer option than Open with, Downloads are better set to Ask, rather than to automatically download.

  14. The Following User Says Thank You to satrow For This Useful Post:

    Vincenzo (2016-10-29)

  15. #10
    5 Star Lounger Vincenzo's Avatar
    Join Date
    Mar 2004
    Posts
    654
    Thanks
    96
    Thanked 14 Times in 13 Posts
    I have scanned my friend's computer with rkill, MBAM, Superantispyware, ADWCleaner, ESET, and all came out clean, except for some very common pup's and tracking cookies.

    I sent her one of the screenshots from the malwr.com site you linked to, (attached below) and she says that is the screen she saw when she opened the attachment, but there was not a button or dialog to enable macro's, so perhaps that is not why she did not get infected? She has Office 2010, maybe the malware would only have executed on an old version of Office?
    Attached Images Attached Images

  16. #11
    Super Moderator satrow's Avatar
    Join Date
    Dec 2009
    Location
    Cardiff, UK
    Posts
    4,492
    Thanks
    284
    Thanked 577 Times in 480 Posts
    (I'd have added JRT to that list, the logs generated by all those software can help pinpoint more than just what they remove, any clues are good with mystery malware.)

    I haven't used Office for many years, so I can't easily test (even if I had the same email) exactly what it does. I'd advise visiting a good malware forum and have their experts go through it, majorgeeks, malwarebytes, bleepingcomputer, ... save those logs, they'll probably want to see them.

  17. The Following User Says Thank You to satrow For This Useful Post:

    Vincenzo (2016-10-30)

  18. #12
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,756
    Thanks
    171
    Thanked 653 Times in 576 Posts
    Quote Originally Posted by Vincenzo View Post
    I sent her one of the screenshots from the malwr.com site you linked to, (attached below) and she says that is the screen she saw when she opened the attachment, but there was not a button or dialog to enable macro's, so perhaps that is not why she did not get infected? She has Office 2010, maybe the malware would only have executed on an old version of Office?
    I believe that's true:

    One of Office 2010's new safety features is Protected View, which lets you view a document but prevents it from launching macros—thereby preventing it from injecting malware into your system. By default files downloaded from the Internet open in Protected View, as do files still in your browser cache, and attachments opened in Outlook.
    Enable or Disable Word's New Protected View

    File, Options, Trust Center, Protected View says, "Protected View opens potentially dangerous files, without any security prompts, to help minimize harm to your computer."
    (in Word 2010.)

  19. The Following User Says Thank You to BruceR For This Useful Post:

    Vincenzo (2016-10-30)

  20. #13
    5 Star Lounger Vincenzo's Avatar
    Join Date
    Mar 2004
    Posts
    654
    Thanks
    96
    Thanked 14 Times in 13 Posts
    Quote Originally Posted by satrow View Post
    (I'd have added JRT to that list, the logs generated by all those software can help pinpoint more than just what they remove, any clues are good with mystery malware.)

    I haven't used Office for many years, so I can't easily test (even if I had the same email) exactly what it does. I'd advise visiting a good malware forum and have their experts go through it, majorgeeks, malwarebytes, bleepingcomputer, ... save those logs, they'll probably want to see them.
    Thanks, I'll scan it with JRT.


    Quote Originally Posted by BruceR View Post
    I believe that's true:

    One of Office 2010's new safety features is Protected View, which lets you view a document but prevents it from launching macros—thereby preventing it from injecting malware into your system. By default files downloaded from the Internet open in Protected View, as do files still in your browser cache, and attachments opened in Outlook.
    Enable or Disable Word's New Protected View

    File, Options, Trust Center, Protected View says, "Protected View opens potentially dangerous files, without any security prompts, to help minimize harm to your computer."
    (in Word 2010.)
    Thanks for that info, Bruce. I'm guessing Protected View is what saved her.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •