January 14, 2016Dan Para By Dan Para: Threat Research Analyst

A look at a typical macro infection

For over a decade, one of the most common ways to infect a computer with malware has been the implementation of “macros” in Word and Excel documents. Macros are small scripts that automate a series of commands in a document; most commonly they are used to automate legitimate repetitive tasks in applications like MS Excel and MS Word. Because of the security issues inherent to macros, Microsoft added security features in Office 2003 and all subsequent Office releases in order to curb macro abuses. In particular, the use of macros is disabled by default in Microsoft Office applications, requiring the user to manually turn macros on in order to use them.

Because of this, it is less likely to be infected by a document containing a malicious macro, but it is still possible. Typically, a document containing a malicious macro these days will be accompanied by instructions that ask the user to enable macros in their Office applications. Fortunately, these types of attacks are easy to detect if you know what to look for.

The first thing to be aware of is that unless you already use macros regularly in your work, you will probably never be sent a legitimate document that contains a macro script. In the case that you do use macros regularly, they will usually be similar types of documents that come from the same sources. If you receive a document via e-mail from an unknown sender, and the document contains macros, it is probably malware and should be deleted immediately.

The most popular type of malware infection these days comes in the form of a bogus shipping e-mail, such as a UPS Shipping Notice or a USPS “failed delivery” e-mail, as shown below:


In this example, we can see a few different things that would alert you to the fact that it is bogus. First, observe the “From” e-mail address. The e-mail claims to be from the USPS but the sender is from “no-reply@Postal-Reporter.com” instead of a “USPS.com” e-mail address. Secondly, because the e-mail address is an unknown or previously uncontacted sender, the fact that the message has a document attached is highly suspicious. We would recommend immediately deleting an e-mail like this and would especially advise not downloading or opening the attached document.

If this type of document is downloaded, it may not be immediately detected by security software because the document itself does not contain malware. It is only when macros are run that the malicious script is activated; usually this would trigger a download and launch of malicious software.

When this document is opened, what you will usually see in MS Word is something like this:


The document contains no real information but is meant to trick you into believing that you will not be able to read a message without enabling macros in MS Word. You can see that MS Word displays a yellow bar with “SECURITY WARNING: Macros have been disabled.”, also giving you the option to “Enable Content”. This is your clear warning that something is not right with this document. If you have opened a suspicious document and have gotten this far, you should immediately close and delete the document before going any further with it.


Knowing how to spot these types of attacks is the best way to avoid them, but there is one more thing you can do to ensure that a malicious macro document does not infect your computer. By default, the “Trust Center” setting for macros is “Disable all macros with notification”. This means that if macros are detected in a document, you will see that yellow “SECURITY WARNING” bar. We would recommend changing this setting to “Disable all macros without notification”, which will simply block the ability to use macros without prompting you to enable them:


This is especially useful if you share your computer with others who are not already trained in spotting these types of malicious documents. We hope that this helps you to pre-emptively detect and avoid these types of infections in the future.

Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *