Jump to content

Infected - Document12.doc


Recommended Posts

After getting an email I was expecting from a trusted source, I downloaded, unzipped, and clicked on the file: Document12.doc 

I told later that it was a virus. Doh!

Downloaded malwarebytes and ran the program. Said I was clean. 

I do not have microsoft office and am running mac os x. When I foolishly clicked on the file it said "Pages cannot open this file"

[link removed]

See the link for the file

Edited by treed
Removed link to malicious file
Link to post
Share on other sites

First and foremost, never post the link to an infected anything here. The proper place to submit suspected Mac malware is the Newest Mac Threats forum where it can only be downloaded by the staff and those who know how to handle such things. I'll see what I can do about having the link removed by an admin.

Most importantly for you, since Pages couldn't open the file, nothing about it could have harmed your computer.

And most infected .doc files only impact Windows computers.

Who told you later that it was a virus, the trusted source?

The document requires a password, so that may explain why Pages couldn't open it and another reason it couldn't harm your computer, but it's also possibly the reason Malwarebytes said you were clean as it cannot examine the file if it is capable of doing anything harmful to a Mac. If you have the password, please don't post it here.

 

Link to post
Share on other sites

  • Staff

I removed the link to the malicious document, but I noticed that it just went to a 404 page anyway, so was unable to retrieve the document. I'd be interested to see it, if you still have it.

As Al mentioned, opening it with Pages wouldn't harm your computer. Microsoft Word documents can only be harmful when opened with Microsoft Office, and then only if they contain malicious macros and you allow the macros to run. Pages is capable of opening Word documents, but will not run any macros contained in those documents.

That said, although most macro malware targets Windows machines, there are an increasing number of malicious macros that are targeting Mac users, so I'd be interested in seeing the file, both to see if it has any Mac-specific macro code and to pass on to our Windows researchers.

Link to post
Share on other sites

  • Staff

Well, it contains highly obfuscated VBA scripts. VBA is not my area of expertise, so I've got no idea how to deobfuscate it, but I've passed it on to our research team to see if anyone else can figure it out.

It's definitely malicious, because you don't see this kind of obfuscation in a legitimate VBA script. But fortunately, it would not have affected you at all from your attempt to open it with Pages.

Link to post
Share on other sites

ClamXAV identifies it as Doc.Downloader.Emotet-6858130-0, added to the ClamAV database on Feb 9. That's one of several variants of an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans which has been increasingly been seen for about a year now. CERT issued this alert last summer: https://www.us-cert.gov/ncas/alerts/TA18-201A. Not know to have infected macOS.

Link to post
Share on other sites

  • Staff

To add to what Al said, our researchers were able to confirm that the malicious macros in this document are no longer able to connect to the backend command and control server, so the malicious code in this particular document is effectively dead even if you were to run it in Word... plus it does not appear to be targeting Macs with any Mac-specific code.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.