Avoid Microsoft Word Macro Exploits

Everything old is new again.  An e-mail came in from a legitimate contact but the email was clearly a fraud and the attachment was sketchy.  I thought I’d take a look, but having recently upgraded my version of Microsoft Word, that I need to make a few changes first.  Everyone should be running Office products with macro capabilities as disabled as possible.

Disable Macros

I’d recently upgraded to Microsoft Word 2016 and realized I no longer had the Developer’s toolbar.  This is how I have always accessed Word macros in the past.

Microsoft Word Developer ribbon

If you select Macro Security, you can easily access your settings to disable macros.  If you don’t have a Developer tab on your ribbon, you can do one of two things:

  • Access the Trust Center directly (File > Options > Trust Center)
  • Add the Developer’s ribbon (File > Options > Customize Ribbon) and scroll down the right list until you see Developer, and check the box next to it

The Trust Center is an easier access point for most people, although I’m surprised how often I record a simple macro and tweak it when I’m trying to automate some mundane process.  If you opt to just access the Trust Center, you’ll see this window.  Click on the Trust Center Settings button on the right to get to the macro security.

Access the Microsoft Word Trust Center settings by clicking the button

There are 4 settings.  My version of Word defaulted to the second most secure – allow macros WITH notification.  That means that a macro will be allowed to run, but only if you authorize it.  Frankly, I dont trust that setting because I’m always concerned that something can send a click to bypass that authorization (I added a root account on my Windows 10 machine to avoid the same problem globally) .  I moved my macro security up to the first setting – disable all macros.

I’d start there.  If you find that you need to run macros, then you can always tweak slide it down.  But I’d probably only make a temporary change, for a trusted file, and then toggle it back to fully disabled macros.

Avoid Calamity

I’ve already documented here and here the outcome of opening a macro file.  When you’re dealing with attachments, I used to say download it and scan it.  Right click on the file – don’t ever double click an attachment and open it – and save it to a disk.  Then right click on the downloaded file, and scan it with your anti-virus.

I’m joining the ranks of people who see anti-virus as questionable benefit.  If you think it’s actually protecting you and you lower your guard, you might as well not have it.  After Windows Defender didn’t find the macro exploit in the Word document, I uploaded it to Virustotal.  As in the past, none of the most common anti-virus tools found the exploit in their definition.

Virustotal results showing that only 7 anti virus products found the exploit, a downloader

Not Avast, AVG, Kaspersky, Comodo, etc.  It’s not hard to see why, because the macro appears to be broken down to the point where there are very few actual strings in it.  If the anti-virus is looking for a particular line of text or programming, these macros may not give it enough to use.

Don’t do this yourself.  But I opened the file with macros disabled, now that I knew it was a macro exploit.  As has happened in the past, the document appears to be single box or colored page, that tells you to do something.  In this case, it told me to Enable Editing on a yellow bar in Windows.  This is gambling.  They are assuming that someone received the file as an attachment, double-clicked it, causing Word to open the file in read-only mode.  In that case, there would be a yellow bar warning me that the file wasn’t trustworthy.  The exploit authors are telling double-clickers to disable that protection.

In the event, nothing happens.  The macro is called Auto-Close.  It’s one of 3 standard macros (Auto Open is another) and all someone has to do is create a macro and name it, and it will run automatically when the file is closed.

The macro is a downloader.  But there’s no URL in the entire thing.  I don’t know enough about code to be sure, but my guess is that those arrays contain all the letters and characters (including colon and backslash) to build the URL.  And the functions, using gibberish words to make them harder to pin down by anti-virus, somehow build the URL and start the download to commence.

Macro using random words for functions and an array to recreate the necessary strings

This is why training has got to be part of the mix.  If Word macro security is bypassed, or anti-virus misses it, then a staff person or lawyer opening this file gets a surprise.  It would be inconsequential to change this macro, using other words for functions.  And repeat.  And each time, staying ahead of the endpoint security applications.

In my recent Confidentiality in a Wired World session, I stressed that the technology is just a funnel.  But every funnel has an exit spout and the lawyer or staff are the final gatekeeper.