Jump to content

Potential Virus? From Windows Doc. File


Recommended Posts

Hello, I’m very new at this and was looking for some help. I accidentally opened a Zip file, and I swear I never do this, it seemed legit, this email it came from a source we email frequently and it was something random. Even though it seemed sketchy this person has done similar random files before, so I thought it might have been legit? Well needless to say it was a Zip file they sent via email, that required a password to open.  

In the Zip file was a Word document file.  When I opened it, I clicked to enable content, which I did, then it asked if I wanted to enable macros, which I did. Nothing (seemingly) happened that I can tell, it still said to click enable which I didn’t, I deleted the file immediately and deleted from trash.  Note, I originally downloaded to flash drive. I have been searching everywhere trying to find answers but I don’t know what it is, and if I’m infected at all. Can anyone please help me? I didn’t attach the file just in case, but if I can send it to someone for review? Not sure how this goes. I am currently running MacOS Mojave 10.14.  

 

Below is the VBA code from the file.  It just looks like a bunch of computations to me, so I can’t tell if I should be concerned or not?

REMOVED MACRO

 Any help is appreciated.  Thank you! 

Edited by AlexSmith
Removed Macro
Link to post
Share on other sites

Please upload the complete file to the Newest Mac Threats forum, according to the instructions at the top of it. That will give members of the staff who specialize in VBA analysis and perhaps other experts in this area a chance to evaluate it without unnecessarily exposing other users if it actually is able to impact macOS.

It may be necessary to delete the VBA portion of your posting here should it be found to be malware.

Most macro based malware is targeted against Windows only, but there have certainly been instances of it affecting Mac users as well. Most against small groups of political foes. So you should not be overly concerned, but it certainly should be a lesson learned not to enable macros for files that you can't positively identify as coming from a trusted source.

Link to post
Share on other sites

Yes, new users are not able to edit due to numerous instances of spammers posting initially legit content, then returning later and editing their post to include spam. The only way to counter was to turn off user edits.

I brought your posting to the attention of administrators earlier, who will desire whether to delete that portion or not.

Link to post
Share on other sites

As you have probably seen already, it was definitely infected with Windows macro malware. I strongly doubt that you have been impacted by it in any manner, but you should warn any windows users who might have received the same file about this.

It is a relatively new document which was first uploaded to virustotal.com on Apr 15 and just added to the ClamAV signature database yesterday. The signature shows the need for six distinct ASCII strings, so reasonably strong evidence that it's infected.

I'll push a bit harder to have the VBA portion of your posting removed.

Link to post
Share on other sites

Ah ok thank you. I will definitely let people know, as this email was very legit coming from this person, had previous conversations, exact wording from their other emails, same signature everything, and I didn’t fully understand macros, so it never occurred to me that enabling it would be bad. Once I started researching is when I realized. I had used Malwarebytes too right away, but it said it was clean but I had been worried still as I wasn’t sure if it was something not seen or noticed. April 15 is when I first got the file too and opened it. Thanks for your help understanding this better. 

Link to post
Share on other sites
  • Staff

Looking at the VBA code you posted, it doesn't look like there's any Mac-specific code, which is good. Also good is the fact that recent versions of Microsoft Word are sandboxed, meaning that the VBA code they contain should not be able to access files on the hard drive, as they would need to in order to install malware. There are some known sandbox escapes, but I don't see signs of that kind of thing either. I suspect this is targeting Windows specifically.

I'll run it on a test machine later just to make absolutely sure, but I think it's likely that no harm was done.

You should probably alert your friend to the problem. There are two possibilities for why you got the e-mail from him. One is that someone spoofed his address, without having access to his account. However, that seems unlikely, as this wouldn't allow that person to have knowledge of the connection between you and him.

The other, and more likely, possibility is that his e-mail account has been hacked and used to send malware to all his contacts. Because of this, I'd tell him to change his e-mail account password ASAP. Then, he should also change the password on any online accounts using the same password, as well as any accounts using a different password but associated with that e-mail address. (Such accounts could have their passwords reset with access to the e-mail account.) If he's not using different password on every account, and keeping track of them with a password manager, he should start doing that.

Link to post
Share on other sites

Thank you so much for the info and advice, I was worried for a while, but feel more at ease. I did speak with my friend about the e-mail, turns out the e-mail was hacked. I passed on the advice as well, and he is working on changing all the passwords. I really appreciate all of the help and understanding I have received. 

Link to post
Share on other sites
  • Staff

I opened that document on a test machine with the latest version of Microsoft Word, and it gave an automation error. There were no malicious changes made to the disk. Looks like all is good... just be wary in the future. I honestly wish that Microsoft would kill VBA already... I'm sure there are legitimate uses, but I've never encountered a document with legitimate VBA macros.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.