- #What is microsoft office word software#
- #What is microsoft office word download#
- #What is microsoft office word free#
“We suggest it is safe to enable (macros) only when the document received is from a trusted source.”Ĭheck out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.Word has always been the workhorse app of the Microsoft Office suite.
#What is microsoft office word download#
“Malicious documents have been an entry point for most malware families and these attacks have been evolving their infection techniques and obfuscation, not just limiting to direct downloads of payload from VBA, but creating agents dynamically to download payload as we discussed in this blog,” researchers wrote. This allows the script to “execute the function seamlessly without any Microsoft Office warnings,” researchers wrote.Īfter disabling the trust access, a new Excel VBA is created and executed – triggering the download of Zloader. Once the Excel macro is created and ready to execute, the script will modify the Windows’ RegKey to disable trust access for VBA on the victim’s machine. Next, the parent Word file “creates a new VBA module in the downloaded Excel file by writing the retrieved contents.” Malware authors achieve the warning bypass by embedding instructions in the Word document to extract the contents from the Excel cells, researchers wrote. When the user ends the recorder, this macro is saved and can be assigned to a button that will run the exact same process again when clicked,” according to a description of VBA. “Excel will record all the steps a user makes and save it as a ‘process’ known as a macro. In this instance, as with other abuses of VBA, malware authors are creating malicious macro scripts. VBA allows users to create strings of commands using a tool called Macro Recorder. VBA is Microsoft’s programming language for Excel, Word and other Office programs. Next, the Excel document is populated with the Word-based VBA instructions. The Word document can then read specific Excel cell content of the downloaded. In this instance, the process updates the contents of a spreadsheet cell with information from Word. This is when the malware authors leverage DDE and VBA, both standard Microsoft tools that ship with Windows.ĭDE is a method for transferring data between applications, such as Excel and Word. To view or edit this document, please click ‘Enable editing’ button on the top bar, and then click ‘Enable content’,” the message reads. “This document created in previous version of Microsoft Office Word. How the Obfuscation Worksīecause Microsoft Office automatically disables macros, the attackers attempt to trick recipients of the email to enable them with a message appearing inside the Word document. The Zloader payload is then executed using rundll32.exe,” researchers said. The Excel file now downloads the Zloader payload. “Once the macros are written and ready, the Word document sets the policy in the registry to ‘Disable Excel Macro Warning,’ and invokes the malicious macro function from the Excel file. That macro populates an additional cell in the same XLS document with an additional VBA macro, which disables Office defenses. Next, VBA-based instruction embedded in the Word document reads a specially crafted Excel spreadsheet cell to create a macro.
When the document is opened and macros are enabled, the Word document, in turn, downloads and opens another password-protected Microsoft Excel document,” researchers wrote. “The malware arrives through a phishing email containing a Microsoft Word document as an attachment. The macro-obfuscation technique meanwhile leverages both Microsoft Office’s Excel dynamic data exchange (DDE) fields and Windows-based Visual Basic for Applications (VBA) to launch attacks against systems that support legacy XLS formats.
#What is microsoft office word software#
Thus, it wouldn’t typically trigger an email gateway or client-side antivirus software to block the attack. The initial attack vector is inbox-based phishing messages with Word document attachments that contain no malicious code. Zloader is a banking trojan designed to steal credentials and other private information from users of targeted financial institutions. The attack, according to research published Thursday by McAfee, marries functions in Microsoft Office Word and Excel to work together to download the Zloader payload, without triggering an alert warning for end users of the malicious attack. Legacy users of Microsoft Excel are being targeted in a malware campaign that uses a novel malware-obfuscation technique to disable Office defenses and deliver the Zloader trojan.