Infected - Document12.doc

[rayray7]

After getting an email I was expecting from a trusted source, I downloaded, unzipped, and clicked on the file: Document12.doc 

I told later that it was a virus. Doh!

Downloaded malwarebytes and ran the program. Said I was clean. 

I do not have microsoft office and am running mac os x. When I foolishly clicked on the file it said "Pages cannot open this file"

[link removed]

See the link for the file

Edited February 26, 2019 by treed
Removed link to malicious file

[alvarnell]

First and foremost, never post the link to an infected anything here. The proper place to submit suspected Mac malware is the Newest Mac Threats forum where it can only be downloaded by the staff and those who know how to handle such things. I'll see what I can do about having the link removed by an admin.

Most importantly for you, since Pages couldn't open the file, nothing about it could have harmed your computer.

And most infected .doc files only impact Windows computers.

Who told you later that it was a virus, the trusted source?

The document requires a password, so that may explain why Pages couldn't open it and another reason it couldn't harm your computer, but it's also possibly the reason Malwarebytes said you were clean as it cannot examine the file if it is capable of doing anything harmful to a Mac. If you have the password, please don't post it here.

 

[treed]

I removed the link to the malicious document, but I noticed that it just went to a 404 page anyway, so was unable to retrieve the document. I'd be interested to see it, if you still have it.

As Al mentioned, opening it with Pages wouldn't harm your computer. Microsoft Word documents can only be harmful when opened with Microsoft Office, and then only if they contain malicious macros and you allow the macros to run. Pages is capable of opening Word documents, but will not run any macros contained in those documents.

That said, although most macro malware targets Windows machines, there are an increasing number of malicious macros that are targeting Mac users, so I'd be interested in seeing the file, both to see if it has any Mac-specific macro code and to pass on to our Windows researchers.

[alvarnell]

I emailed the file to you, but you'll need to get the password from the OP, if he has it.

Edited February 26, 2019 by alvarnell

[treed]

3 hours ago, alvarnell said:

I emailed the file to you, but you'll need to get the password from the OP, if he has it.

I don't see that e-mail... I suspect it was eaten by a server-based antivirus scanner somewhere between you and me.

[rayray7]

Sorry for posting the link.  I don't think it worked, anyway.  It's in the proper place with the password. 

Curious to see what you guys think. Thanks

 

[treed]

Well, it contains highly obfuscated VBA scripts. VBA is not my area of expertise, so I've got no idea how to deobfuscate it, but I've passed it on to our research team to see if anyone else can figure it out.

It's definitely malicious, because you don't see this kind of obfuscation in a legitimate VBA script. But fortunately, it would not have affected you at all from your attempt to open it with Pages.

[alvarnell]

ClamXAV identifies it as Doc.Downloader.Emotet-6858130-0, added to the ClamAV database on Feb 9. That's one of several variants of an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans which has been increasingly been seen for about a year now. CERT issued this alert last summer: https://www.us-cert.gov/ncas/alerts/TA18-201A. Not know to have infected macOS.

[treed]

To add to what Al said, our researchers were able to confirm that the malicious macros in this document are no longer able to connect to the backend command and control server, so the malicious code in this particular document is effectively dead even if you were to run it in Word... plus it does not appear to be targeting Macs with any Mac-specific code.