Microsoft warns Office users for documents with macros because they are currently a popular method for cybercriminals to spread malware. At the end of last year there was an increase of several spam campaigns distributing two different Trojan downloaders. The Trojan downloaders are hidden in Excel and Word documents masquerading themselves as orders or invoices.
The attackers add a notification to the document stating the contents of the documents can only be viewed with macros enabled. Macros allow users to automate tasks and were abused by malware authors on large scale a few years ago. Due to the security risks Microsoft decided to block execution of macros in Office by default.
Users receive a security warning stating macros have been disabled. In the same warning users can opt to view the content of the document by clicking an “Enable Content” button.
“The combination of the instructional document, spam email with supposed monetary content, and a seemingly relevant file name, can be enough to convince an unsuspecting user to click the Enable Content button”, according to Alden Pornasdoro of the Microsoft Malware Protection Center.
As soon as users allow the content to be shown by running the macro, the Trojan downloader is downloaded which then installs other malware on the computer. According to Microsoft the majority of invoices and orders don’t require a macro and therefore users should be alert on running macros. Special attention should be paid to unsigned macros and macros from unknown sources. Some malware also shows an empty document on purpose so users think they need to enable the macros which in turn activates malware.