How can I tell if a couple of .docm files are infectious?

[JVCCAT]

A user who I support recently got a couple of suspicious emails with docm attachments.  Before she opens them, I'd like to find out if they have Cryptowall/blocker.

 

I scanned them with the latest updated MBAM and Avast! and they both came back clean.

 

I realize you can't guarantee anything, but does that typically indicate that they are safe?

[David H. Lipman]

.DOCm files are MS Office Documents for MS Word ( and applications compatible with the format ) that contain VBA macros.
 
Back in the days of Office 95 and Office 97 macros were used in a way where a document was indeed "infected" with a macro virus which would in turn "infect" legitimate documents for infecting the MS Office environment.  Thus a document infected with a Macro Virus could infect a non-infected system using MS Office.  Because an infected system could infect clean documents which could in turn infect a clean MS Office environment they are considered viruses because the code autonomously spreads from from system to file and file to system.  However one may consider it a parasitic infection in that it only "infects" MS Office and its documents.  It did not infect a computer outside of MS Office.  At the same time it could affect a non-Windows system using that OS' version of MS Office for that OS.
 
This is not the case Today.  We no longer see Macro Viruses in-play.  What we do see are MS Office macro trojans.  The MS Office documents are deliberately created to be malicious.  The documents are used as a delivery system to infect a computer with a laundry list of other trojans.  many of which are Crypto Trojan, Password Stealers and others like dridex.  The two types are...

• Macro Downloaders
• Macro Droppers

Macro Downloaders are MS Office documents whose malicious macros download a payload from the Internet and execute the payload.
 
Macro Droppers are MS Office documents which have a payload embedded in the MS Office Document and whose malicious macro executes that payload.
 
One can submit a suspect MS Office document(s) to Virus Total and examine the resultant report.  If it is flagged then just delete the file and email.
 
Remember that one must enable Office Macros to effect a payload.  Since the days of Macro Viruses, Microsoft has made sure the Macro Security of MS Office is set "High" which makes the end-user required to allow the execution of macros.  There are Group Policies to enforce that as well as block the user from altering the Macro security settings.
 
 
Malwarebytes' Anti-Malware ( MBAM ) does not target scripted malware files.  That means MBAM will not target; JS, JSE,  PY, .HTML, VBS, VBE, WSF, .CLASS, SWF, SQL, BAT, CMD, PDF, PHP, etc.
It also does not target documents such as; PDF, DOC, DOCx, DOCm, XLS, XLSx, PPT, PPS, ODF, etc.
It also does not target media files;  MP3, WMV, JPG, GIF, etc.
 
However, Malwarebytes' Anti-Exploit ( MBAE ) is designed to deal with many of the types of malware associated with scripts, documents and media files where MBAE will protect the computer against Exploitation attempts whether they were exploits of software vulnerabilities or taking advantage of an application in an unusual way and works at an "action level" and not a "file level" like MBAM. MBAE provides protection of applications that are commonly  known to be associated with and normally used by the file type.
Reference:  MBAE FAQ
 
While MBAM may not traget malicious document files, it does traget their payload so the public is invited to submit the file to Malwarebytes such that the payload can be ascertained and if the payload is not already detected, Malwarebytes can create signatures for it/them.

 

Submissions are posted in... Newest Malware Threats
 
Please reference the following on how to provide sample submissions such that Malwarebytes' Anti-Malware (MBAM) can detect targeted but presently undetected threats.

Malware hunters please read
Purpose of this forum
Malware Hunters group
 
Upload Directions:

• Take the files and put them in a ZIP or RAR archive file.
• Create a new post and paste the Virus Total ( or other service ) report URL in the body of the post.
• Choose "More Reply Options" on the bottom Right of the Web Form
• Now choose "Attach Files" on the bottom Left of the Web Form.
• Browse and find your ZIP or RAR file.
• Choose "Add Reply" and there's your post with your attachment(s)

[David H. Lipman]

Do you have any questions ?

 

Is there anything else ?

[AdvancedSetup]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.