Conventional Office macro infection approach Cuts off after a new email spam campaign

In a recently performed email spam drive, researchers found strokes of spam emails that make use of Microsoft Office documents for a malicious purpose such as downloading and stealing passwords without having any need to activate Macros. Observing that the method of hitting a number of users with multiple emails could result in a big loss if users follow to click and perform any mentioned measure mentioned in emails.

Possibly, a huge count of malware will cache Microsoft Office document typically attached to spam emails. If a victim enables or activates Macros in a malicious doc file the downloader will save or hide malware sent via mails. This is a usual vision in spam emails delivered by Necurs botnet. However, a new sample was taken off the method of the input sequence, which is mapped to replace an output sequence according to any certain procedure or simply macro approach. This new method involves the use of a Microsoft Office exposure to execute data and sensitive details from victims.

From a long track of the email spam campaign, researchers concluded that there is a four-level infection method to send off attachments and those data or password stealer. The method or the password stealer program is strong enough to steal credentials from user’s email, FTP, and browser clients.

There are particularly different subject lines that have been noted by researchers during the spam campaign:

  • Request for Quotation (RFQ) – (random numbers)
  • TNT STATEMENT OF ACCOUNT – (random numbers)
  • Telex Transfer Notification

Reported outcomes of email Spam campaign

The files sent were observed to be in different extensions depending on Microsoft versions. Word document of MS Office 2007 supports XML file formats based on Zip archives and XML tools. It is easy to convert data and information is Word document 2007 file whether it is done by programmatic method or manual. Moreover, DOCX attachments contain an embedded Object Linking and Embedding objects with external references. This attribute opens up external access to analyze references of document.xml.rels of OLE objects.

If the end user opens the file, it prompts the download and execution of any remote document file in rich text file format (.RTF). These.RTF extensions use MS equation editor tools to convert downloads an MSHTA command line so it can direct a remote HTA file format. Eventually, those HTA files result into obscured codes of VBScript and a PowerShell script that supports remote binary file and these binary files, at the end, executes the password stealer malware. The whole process explains Microsoft Office limits, which was discovered back in July 2017.

Attackers can corrupt Microsoft memory vulnerability by running random codes by failing inappropriately manage object in the memory. Researchers also explained about high availability of platforms and vectors to use for malware download. If any of the stage (out of four) goes unsuccessful, it will give out the domino effect on the entire process and could be the high-risked approach for the malware author.

At any point, if you face a technical issue then contact Office customer support team. The technicians working 24*7 will be glad to assist you. You can also visit

Leave a Reply

Your email address will not be published. Required fields are marked *