How do you spot a malicious Word document?

The main problem with this question, is that that the threat actors, (that is newspeak for hackers), work hard to make their malicious Word documents appear as friendly as possible. When not being friendly – here is a tax rebate for you – they will threaten – here is a tax demand – but in a nice way so you think it is the HMRC making the demand not someone sitting on a beach on the other side of the world.

I have sat in meetings where when we have started talking about the threat of malware getting into a company via email, someone always reminds me that they are using the anti-virus I recommended, so they should be protected. Well no, not completely even if I recommended it to them! Whatever technical solutions you have in place, it will always be playing catch up with the threat – if you think about it for a moment, that is just the nature of the problem. This is where training your people to be familiar with phishing and social engineering cyber attacks will be a force multiplier when it comes to your anti-virus, email filtering and firewall.

An example of how the threat actors work – “Order Confirmation 22839.docx”

One way the threat actors can evade your anti-virus’s malicious file detection is not to send you a malicious file in the first place. Word and the other Microsoft Office documents use the Open Office format (OOXML) that Microsoft has developed and it is a powerful tool for expanding the capability of Office. Using this functionality spammers have been including an innocent downloader script in the Word document, that will automatically go and get another file and it is that file that goes and gets the malicious package. (Mertens, 2022)

All of this is done to obfuscate the actions and get around your technical defences. Now it is up to your people.

Here are some tips you can circulate your team to make a start on your extended cyber security

  • Pay attention when you do your email.
  • Think: Do you normally receive this type of email from this sender?
  • Read your email carefully.
  • Pay attention to the email addresses of the Sender – is the domain spelled absolutely correctly?
  • Look out for speeling mistakes or odd grammars [sic].


Clive Catton MSc (Cyber Security) – 
by-line and other articles

References

Mertens, X. (2022). Malicious Word Document with a Frameset. SANS Internet Storm Center. Retrieved 15 September 2022, from https://isc.sans.edu/diary/Malicious+Word+Document+with+a+Frameset/29052.