Jump to content

MS Word Files are safe! Or are they?


taverr

Recommended Posts

There was recently a topic by @writer99025 discussing if Dropbox text files are safe in comparision to the MS Word docs. Though MS Word files seems pretty safe to use and you have a good trust in your anti-virus, things could go wrong for you.


I recently had this message from a buyer -

spam.thumb.png.192289ed791fe5547d8ee4ff3a712aee.png

So, there was a MS Word doc file download from that link. My gut was telling me that something is wrong in here, so, I had opened the doc in a sandboxed word window.

Result-
There was a VB macro malware attached to the doc.

spam3.png.81c5d9624b8c79de424496ed96451325.png


But the funny thing is, when I decompiled it(that’s pretty easy for word macros) there wasn’t any password stealers program as I was expecting. But a short code was written linked to the vb engine to produce a .bat file with some codes to run the IE window over and over and another snippet to add itself to the registry.(Perhaps to run itself when windows starts)


I had then, disabled macro execution in the MS Word and then again downloaded and opened the Doc straight from chrome. >>> It opened undetected by the anti-virus. I tried it with Avast! and QuickHeal and the case was same with both.


So, to conclude-

  1. Remember that MS Word files are not always safe. (Same for the files of all the programs in MS Office suite)
  2. Don`t open doc files straight from the download bar of your browser, they opens unscanned by most of the anti-virus programs.
  3. Disable the Macro execution in all the programs of the Office suite.

thanksgiving-thank-you-2016-n07op27z1bjp0m3zpvzahrai4n84dr139dbhabmu7k.thumb.png.3ccb42323bde5613bf3535db89c509f5.png
Link to comment
Share on other sites

Good to see a thread regarding this MS word malware topic.
Just 4 days back I received a similar message from what looked like a potential buyer.
So basically he wanted to have a website designed and said that he has uploaded the project details on a file sharing website.
As I opened the document in MS Word, my AV detected the malware and blocked it.

Detection.jpg.ba43cb4f01afa2b1cc903dffb378425c.jpg

I wouldn’t have bothered much about it, but a strange thing happened a day later.
Just as I was about to go to bed, I received a email notification on my mobile that said that I have initiated a withdrawal request from my Fiverr account.
Without wasting any second, I logged into my Fiverr account and changed my passwords (using the virtual keyboard).
Then logged into my email and to my shock, the withdrawal request email was just gone.
I immediately changed all of my passwords.
One thing that hit me was, it would be not possible for someone to hack into my email as it has 2 step verification and I would be notified even if there was an attempt.
But then again, I sent a message to Fiverr CS and their better when they said that there was no withdrawal attempt made from my account.
This whole thing just felt like as if it happened in my dream.
May be my email client sent me a earlier notification by mistake or something.
But anyway, it’s all good now.
This goes out to all the sellers, to have the maximum security enabled for all your accounts if anything goes wrong in future.

Link to comment
Share on other sites

Based on the result, the document itself wasn’t harmful, the problem was what it was going to download. It shows a basic downloader which will link to the real file in another server. I think pdf are safer because ms only opens a readable edit disabled version. If it has a virus it won’t open.

Link to comment
Share on other sites

Based on the result, the document itself wasn’t harmful, the problem was what it was going to download. It shows a basic downloader which will link to the real file in another server. I think pdf are safer because ms only opens a readable edit disabled version. If it has a virus it won’t open.

It won’t need to download anything. One can easily make a standalone malware using MS Word doc. I went through a few articles yeasterday about it and came to know that .bat files can be produced and executed by a Macro. So, by the command line code these malwares can basically do anything without depending on any external downloads. 😨

Link to comment
Share on other sites

So @taverr , can you tell in simple words if a client sends an MS Word file by attachment on a Fiverr message, what should I do? I have Norton antivirus.

Go through all the programs in the MS office suite (Word, Excel etc) and disable macro execution from the settings. P.s. Don’t open the docs by directly clicking on them from the download bar, rather by from their storage folder.

Link to comment
Share on other sites

I noticed something sometime back on the BR. A guy wanted a pdf converted to word. My guts told me the guy was up to no good. Funny thing is when I clicked the pdf, I think fiverr had coded it and my computer didn’t know what it was or how to open it. So I directed it to office. Which warned me that the PDF wanted to launch a macro exe file. I tried Sumatra which gave an error macro detected cannot render file, note pad ++ displayed the whole code which was encoded so I didn’t know which kind of exe wasn’t in there and when I tried acrobat it displayed nothing but opened a new blank PDF file. My anti virus didn’t even blink. I think that some of this files while sent through BR can escape unnoticed but are easily detected when sent directly on the inbox.

Link to comment
Share on other sites

Good catch @taverr. I hope you shared it with CS.

This is why I always upload the downloaded files to online document viewers. One can not only write macros within documents but one can simply use a ‘MS Word’ icon for a fully executable .exe file. Double click it and it executes immediately.

human-error-cartoon.jpg.2cd2c011a06a921506e840cb58956a09.jpg

The weakest link in any leak is always a human error. 🙂

Link to comment
Share on other sites

Alright.
Here’s an update on my situation today.
Just received a email in the morning today that my Amazon email address has been changed to a different one.
Upon contacting Amazon, got to know that there are 3 orders placed using my Amzon GC.
They have taken up my request to check into this.
This is literally scaring me to death at the moment.
I have scanned my computer and there was no malware or anything found in it.
I just don’t understand how someone was able to change the e-mail address and place these orders.
The email registrar used is a mail.ru .
Can someone please help me identify where to look for a clue in my computer?
Thank you in advance.

Link to comment
Share on other sites

Alright.

Here’s an update on my situation today.

Just received a email in the morning today that my Amazon email address has been changed to a different one.

Upon contacting Amazon, got to know that there are 3 orders placed using my Amzon GC.

They have taken up my request to check into this.

This is literally scaring me to death at the moment.

I have scanned my computer and there was no malware or anything found in it.

I just don’t understand how someone was able to change the e-mail address and place these orders.

The email registrar used is a mail.ru .

Can someone please help me identify where to look for a clue in my computer?

Thank you in advance.

The problem might not be in your computer. Wen was the last time you accessed your account?

Link to comment
Share on other sites

May be around a month ago.

Another thing is that I have never accessed my Amazon account in a public computer cafe or on any other device.

You could have been infected through many ways. I know this because I am a reformed ******. Maybe you clicked on a link in your email, a website that pushes notifications and cookies.

Link to comment
Share on other sites

OKay, will follow your advice.

You additionally can instead of opening the file from your download folder first right click it and let your anti virus run over it, seeing the window with all the 0s for found mean stuff at least is a nice feeling if nothing else. I don’t have Norton but I assume you’ll get that option among the right click options for all anti virus programs.

Link to comment
Share on other sites

  • 4 weeks later...

My payoneer account has just been hacked.

I suspect this thread was what the hacker (on fiverr) used. He send me an MS document which contained hidden text on this link: https://www.sendspace.com/file/cxxxxxxxxxxxx (link edited to prevent you downloading it)

He used this email: baland.v@yandex.ru to transfer my payoneer funds.

I have reported to Fiverr and Payoneer support already. What next will I have to do?

Sorry to know that this happened with you but you need to remove the link and the email id inorder to prevent users from accidentally downloading that…

Link to comment
Share on other sites

Sorry to know that this happened with you but you need to remove the link and the email id inorder to prevent users from accidentally downloading that…

Thanks. I will edit it.

After reading this post, I was convinced that was what happened to me. The user has block me from replying him and it like the account was also disabled

hacked3.thumb.PNG.d7513e27d268b04a62a084d7c406d66e.PNG
Link to comment
Share on other sites

Thanks. I will edit it.

After reading this post, I was convinced that was what happened to me. The user has block me from replying him and it like the account was also disabled

You need to blur the name in there too 😉

Probably he sent the message to several people and got reported by several and fiverr suspended the account.

Sorry for you. I hope payoneer will react fast and you won’t go through too many hoops proving it’s your account and such

🍀

Link to comment
Share on other sites

You need to blur the name in there too 😉

Probably he sent the message to several people and got reported by several and fiverr suspended the account.

Sorry for you. I hope payoneer will react fast and you won’t go through too many hoops proving it’s your account and such

🍀

Am just frustrated! All my 2017 earning gone just like that…😫

Link to comment
Share on other sites

Hmmm… I actually got the warning but ignored it. Thinking I was dealing with a legitimate potential buyer. In a short word: “I was desperate for the job”.

Someone told me that you can use an online document viewer, it is safer. As far as the file you downloaded goes it doesn’t contain any actual information just some words that doen’t make sense

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...