Dangers of Malicious Code in Documents

Browsing the internet

There are many different document types that we use on daily basis, I personally use at least three different file types every day. Some of them I create myself and some of them I receive via email or download from different sources.
When downloading or receiving documents via email, it is always important to pay attention to the security side of things. Can this file do any harm to my system if I download it and open it with my computer? The answer is yes.
We use different kinds of files all the time and the most commonly used ones can have malicious code included in them. This is why we need to know what these macro viruses are and how can we prevent ourselves from getting infected by one or many of them.

What are macros

Before we can dig deeper into this, we need to understand what macros are as they make it possible for the viruses to be in the documents and infect our systems.

Macros are just code that was embedded in the documents. The most common document types having macros are Microsoft Word, Excel and PowerPoint documents. Other documents such as PDF files can also have malicious code in them, making them dangerous for your computer.

However, when we are talking about macros, we generally refer to Microsoft Office documents that have embedded code in them. The reason behind this is that Word, Excel, and PowerPoint allows the user to program functionalities to the file with Visual Basic for Applications (VBA).

Anyone can use VBA, for example, to automate repetitive tasks. VBA is very useful and can make things a lot faster for professionals who need the extra functionalities added to their files. For basic user, macros aren’t very important.

As anyone can write macros to Microsoft Office files, a user with malicious intentions can write harmful VBA code to a file and send it via email to their victim(s). This makes macros very dangerous as the code can execute pretty much anything.

What is Protected View

As macros are a serious threat for companies and home users, Microsoft has implemented Protected View for MS Office documents. This Protected View allows the user to read the document without allowing the VBA code to execute.

Word protected view

The documents are opened in protected view if:

  • The file was opened from an internet location
  • The file was received as an email attachment
  • The file was opened from an unsafe location
  • The file is blocked by File Block
  • The file was opened in Protected View by using the Open in Protected View option
  • File validation failure

Protected View is represented with a colored banner at the top of the document when it’s open. The color and text of the banner depends on the reason they were opened in Protected View. You can then either enter the editing mode and allow VBA code to be executed or continue without editing the document and staying in Protected View. You should do this to only documents that you trust and are from a trusted source.

Never allow the execution of VBA code if you don’t know the origin of the file.

What is the macro virus

Macro viruses are simply malicious VBA code that is embedded into a document. If the user allows the execution of the VBA code (exits Protected View to edit the file) the malicious code in the document will run and the macro virus is able to do what it was programmed for.

Depending on what kind of virus it was, it can perform different actions. Some macro viruses are used as downloaders for the actual malware that has more functionalities in it and can perform different malicious actions.

Some of the macro viruses can collect sensitive data or replicate and send themselves forward to the contacts harvested from the infected computer.

Usually, hackers are looking for some kind of profit from their actions. Viruses can collect bank credentials, passwords, credit card information, email addresses or make redirections to other websites.

How they spread

The most common ways for macro viruses to spread is through email attachments and documents downloaded from the internet. When the user opens the infected document and allows the VBA code to run, they get infected.

Commonly these documents are sent to people who are working in some company which systems the hackers want to compromise. This is called phishing. Phishing emails are sent to the employees and if even one of the emails is able to infect one computer, the hackers might have a way into the corporate network.

You might receive this kind of emails to your personal email as well and these kinds of attacks are usually just trying to infect as many people as possible. These hackers are most probably looking for some kind of a profit as mentioned earlier. Nowadays it is more likely that you don’t receive emails with attachments, but with links to malicious websites.

Macro virus symptoms

If you believe that your systems have been infected by a macro virus or you just want to be aware of what the symptoms can be, then here is some information that I believe can be helpful.

Macro viruses as any other viruses or malware can be difficult to detect. Keep an eye on these symptoms to ensure your security.

  • Computer is running slower than before
  • You get strange error messages
  • Your computer asks for a password for no reason or to open a file that doesn’t require one
  • You are being redirected to new websites for no reason
  • There are unknown files on your computer
  • There are unknown processes running on your computer
  • Documents are saved as “template” files

If you have any of the symptoms mentioned above, you are potentially infected by some kind of virus. It could have spread from a malicious document or from somewhere else. If you are encountering any other suspicious actions, you could have been infected.

How to delete a macro virus

If you are noticing symptoms of malware infection, it is a good practice to disable network connectivity. This way the malware isn’t able to communicate with the attacker or download more malicious content to your computer.

Now you can take your computer to a professional who can investigate it further and suggest the right solutions to that exact case. The solutions can vary depending on what kind of malware your computer has been infected with.

You can also use an antivirus program to clean the computer from malware. Antiviruses usually need an internet connection to update their malware database information to be able to detect the newest malware, so you might need to restore connectivity while performing the scan.

Malware scan

Not all malware is detectable and sometimes the antivirus can’t find any infections. If you are still having the symptoms of infection, you can either take your computer to a professional or install your operating system again.

By installing the operating system again, you will lose all the files you have. This will process will overwrite all your data as well as the malware. Keeping regular updates of your files is a good habit to get into, so in case you need to install your operating system again, you won’t lose all your files. Be careful, as while keeping updates of your files, you might have backed up the malware as well. It can be tricky.

Other types of dangerous files

We have mostly covered Microsoft Office documents because they are the most commonly exploited file types. This is simply because of the VBA code that can be included into a simple Word, Excel or PowerPoint document. Making it very easy for the attacker to create malicious documents. However, after the implementation of Protected View, the danger of macro viruses has decreased.

It is good to keep in mind that other files than only Microsoft Office documents can have malicious code embedded into them. These files include raw executables, such as:

  • .exe
  • .src
  • .com
  • .bat

Or well-known PDF files which include malicious Javascript.

How to keep yourself safe

Prevention is an important part of staying safe from viruses and malware. Keep your operating system and applications up to date. Always apply new updates as soon as possible.

Use digital signatures to be sure that the downloaded data is what it was claimed to be. This way you can identify the download sources.

Use antivirus and set it to scan your computer every once in a while, for example, every week on a specific day.

The basic rule here is to not download files, executables, documents or any other data that you do not trust. If you don’t trust the sender of the email, the source or the downloaded data itself, delete it immediately and scan your computer for possible infections.

Common sense is the best key to internet security, it will take you far. If something sounds too good to be true, it usually isn’t true and should be avoided.



If you found this post helpful, share it to your friends!

About the author

PC Rookies is a project to share information related to mostly security related topics.

Leave A Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.