March 08, 2025 • By KWD
Listen to this article
McAfee researchers warn that a recent phishing campaign is delivering malware via non-malicious Word documents. When a user opens the document and enables content, it downloads an Excel file that is used to construct a malicious macro once the document is on the system. This enables macros to evade security filters.
“The malware is delivered via a phishing email that contains an attachment of a Microsoft Word document,” the researchers write. “Upon opening the document and enabling macros, the Word document downloads and opens another password-protected Microsoft Excel document.
After downloading the XLS file, Word VBA reads the contents of the cells in the XLS file, creates a new macro for the same XLS file, and writes the contents of the cells to XLS VBA macros as functions. Once the macros are written and prepared, the Word document changes the registry policy to Disable Excel Macro Warning and invokes the malicious macro function contained in the Excel file. The Excel file downloads the Zloader payload at this point. Rundll32[dot]exe is then used to execute the Zloader payload.”
Notably, the user must still enable macros in the first document in order to download the second. As a result, if users are trained to never enable macros in an Office document, the infection chain can be broken.
“Malicious documents have served as an entry point for the majority of malware families, and these attacks have evolved their infection techniques and obfuscation, moving away from direct payload downloads from VBA and toward dynamic payload downloads, as discussed in this blog,” the researchers write.
“The use of such agents in the infection chain is not limited to Word or Excel; additional threats may download their payloads using other off-the-land tools.
Macros are disabled by default in Microsoft Office applications due to security concerns. We suggest that you enable them only when you receive a document from a trusted source.”
Security awareness training in the modern era teaches employees to adhere to security best practices.
