Tuesday, March 31, 2020

MALWARE WARNING: EMAILDOMAIN plus “_contract.doc” has a Malicious Word Macro – Analysis & Details

Must Read

With Social Distancing in Effect, Try Social Media “Gathering” Instead!

Because of the Coronavirus (COVID-19), medical professionals are recommending social distancing. I am recommending using Social Media "Gathering" instead!

How to Pitch Tech Writers & Influencers – Voices from 8 Tech Journalists (incl. HighTechDad)

If you are a vendor or PR firm looking to get a tech writer, influencer or journalist to write about yoru product or service, read these tips!

Features to Look For in a Dash Cam – The Thinkware F800PRO Dashcam Has Them All!

Key items to look for in a dashcam - basic and high-end features. Review: Thinkware F800PRO dash cam has all of the premium features in a compact design.

The 10Minds Motion Pillow Anti-Snoring Pillow Actually Works! Review on How It Does It (Updated w/ Video)

Review of the 10Minds Motion Pillow - a pillow which detects snoring and gently inflates air bags inside to move the snorer's head slightly.

How To Fix Almost Any Mac Software Problem Using these 4 Techniques

This How To article walks through 4 critical techniques to resolve almost every macOS software problem using proven tactics. Tips can be used with PC's too.
- Advertisement -

My email gets bombarded by viruses, phishing scams, hoaxes and malware on almost a daily basis. A majority of the time, my anti-virus software catches and quarantines them and most of these malicious files are Windows related (but Mac viruses are on the rise too). But in this particular case, I received an “innocent” looking email which had “Re: hightechdad.com contract” as the subject. It was, luckily, put into my Gmail spam folder but since I frequently have contracts with various companies, I thought perhaps it was legit. Long story short, it wasn’t. It contained a malicious Word macro appropriately named “hightechdad.com_contract.doc”. I didn’t get infected though. I decided to investigate and analyze it instead. And, I wanted to pass on a warning to others.

Malicious Word macro warning - watch out!

There were several things that raised my concern about this:

  • Gmail automatically put it into my Spam folder
  • I did not know the sender
  • Trying to preview the attachment revealed no details on a “contract”
  • The preview said I had to both enable Editing AND enable Content

And there were items that almost faked me out:

  • The subject had my domain in it
  • The attachment had my domain in it
  • The email itself looked somewhat legitimate
  • The company sender in the email actually exists
- Advertisement -

So I decided to carefully step into analyzing this seemingly legitimate Word document.

This is what the email looked like.

Malicious Word macro warning - email

It simply stated: “I have attached our contract. Please check it and let me know if you want to add any changes.” The writing was fine. In many cases with phishing scams, the grammar or punctuation is incorrect. In this case, it wasn’t.

There was a signature line. You can see it in the image above but this could be easily changed and may vary with other cases of this malware. And the signature matched the supposed sender’s domain. That all looked ok.

- Advertisement -

One way to possibly prevent Word macros from executing (and I am talking about on a Mac here) is to preview the document. If you save the document to your hard drive, you can click on it and then hit the Spacebar. This will usually bring up a preview. When I did that, this is what I saw.

Malicious Word macro warning - attachment preview

It did bring up a preview of the content of the file but not of the malicious Word macro. It said:

  1. Open the document in Microsoft Office. Previewing online is not available for protected documents.
  2. If this document was downloaded from your email, please click “Enable Editing” from the yellow bar above.
  3. Once you have enabled editing, please click “Enable Content” from the yellow bar above.

Hmm, my red flag warning went up right there. You should NEVER enable macros unless you completely trust the sender and the legitimacy of the document. Even then, you should be extremely careful!

Opening the attachment

Since I am on a Mac, I decided to actually open the document. I wouldn’t recommend this on a Windows machine. And I probably wouldn’t recommend it on a Mac either. But I wanted to learn more.

When I launched Microsoft Word, I was given the following warning:

Malicious Word macro warning - disable macros

This prompt will appear on both Windows and Mac versions of Microsoft Office. It is there to protect you so pay attention to that.

I clicked the “Disable Macros” button which is the default. This would obviously disable the macros but also allow me to view the macros.

Viewing the Malicious Word Macros

Once I had the Word doc open, I decided to take a look at the various macros within it. Be careful never to run a macro, just view them. In Microsoft Word for the Mac, you can access the macros from the View > Macros menu.

Malicious Word macro warning - view macros

Once I did that, I could seen there were a variety of macros within the document. Some looked legitimate in the first set of macros:

Malicious Word macro warning - macros #1

But scrolling down the list, I found some that looked like malicious Word macros:

Malicious Word macro warning - macros #2

Specifically, “pythium” and “trac” looked odd to me.

DON’T CLICK RUN! Click Edit instead if you want to view them.

Clicking on the Edit button brought up what to me looked like pretty complicated macro code. I normally can get a basic understanding of what a macro does because I have created some myself in the past. These looked very cryptic.

Below is a sample of the beginning of the malicious Word macro code.

Malicious Word macro warning - macros search string

Since I couldn’t understand what the macro was trying to do (I’m not a coder), I decided one way was to actually search for some of the lines of the macro itself. So you can see the lines I searched for highlighted above.

Malicious Word macros search & analysis results

I was actually happily surprised to find that my search actually produced some good results. And, on top of that, I discovered a very helpful free service that lets you analyze documents for viruses or malware.

The site is called Reverse.it and is provided by a company called Payload Security. There is another domain it uses called hybrid-analysis.com. All three of these are the same service which basically is an automated malware analysis system which runs protected virtual environments and sandboxes to analyze documents for threats. (Note: I have no affiliation with this company.)

So I uploaded the attachment for analysis and within a few minutes received a tremendously intricate report of the analysis. Below is the top section of the results.

Malicious Word macro warning - top of analysis

Just from reading the top portion, I knew the file was bad. It was flagged as “malicious” and had a threat score of 69/100. It was noted as a “Spyware/leak – POSTs files to a webserver” and “Network Behavior – Contacts 2 domains and 2 hosts”. That basically means that this malicious Word macro will upload your files to some foreign server somewhere. YOW!

That alone made me realize it was important for me to share this malicious Word macro warning.

If you want to see the Full Analysis of the file I received, you can view it here.

Also, I did a search of the Payload Security service for files that contained “_contract.doc” that were analyzed by there service and there were two pages of results. So, this particular malicious Word macro malware has been out there for a while, I’m guessing.

But if you have files you are concerned about that you have received as attachments, you can upload them to this service to see if they are dangerous or not.

The bottom line

There are lots of threats out there, especially in the form of legitimate looking emails and attachments. If you don’t know the sender, don’t open the attachment. If you aren’t expecting an attachment, don’t open it. If you don’t have anti-virus software, get some. If you received a message from your financial institution, don’t click on the link (go to the site directly instead). You get the picture. Be overly cautious.

HTD says: It is critical to be extremely cautious when it comes to digital files, email and your day-to-day activity. Just slow down and be careful!


  1. What if I already opened and clicked enable!?!?!!? Realized the second I pressed it, this was malicious… UGH!?!?!?


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

- Advertisement -
- Advertisement -

Hot Articles

How to Remove Little Black Square Paragraph Formatting & Page Break in Microsoft Word

Recently, I received a panicked email from my step-mom wondering why a page break could not be removed from...

How to Remove Little Black Square Paragraph Formatting & Page Break in Microsoft Word

Recently, I received a panicked email from my step-mom wondering why a page break could not be removed from Microsoft Word. Normally, if you...

Instagram Users – How to Clear the Instagram Cache & Save Space on your Smartphone

If you are a heavy Instagram user, you might not know this but the more you use Instagram, the photo-sharing service and mobile application,...

How To Hook Up a DISH Wireless Joey & Extend Your Viewing Without Wires

Setting up a DISH Wireless Joey is extremely easy and takes less than an hour. Here are the steps and what to expect in the setup process.

How To Fix Track Changes in Microsoft Word 16 for Mac Reverting to “Author” [VIDEO]

Is your author or user name showing as "Author" in your Microsoft Word for Mac when you edit & track changes & not your actual user name? Here's how to fix!
- Advertisement -

More Articles Like This