Back to the future: evil doc files from the 90’s are back

Last week, one of our clients has been the victim of a large number of attacks through emails. Those messages contained a word file as attachment. In this article, we will quickly describe how to set up a safe environment to control the behavior of a suspect file. I do not mean to perform a comprehensive nor deep analysis of this attack.

According to our information, at the time we are publishing this article (JUNE 2015), a few companies in different fields including Oil & Gas are under attack with similar files.

Everything started as an email received by the financial service of our client. The message was entitled “URGENT INVOICE” and was composed of a short text explaining that the attached file was an invoice that had to be paid as soon as possible. Shortly after a large amount of similar messages were received with different subjects.

It is a common method for hackers to use social engineering in order to get people allowing malware on their computers. In this case, the message aims at creating a feeling of emergency and fear for the people who will receive it.


The client did not take any risk and he did not open any of the attached files. He sent them to us.

Our first actions where to prepare a safe environment for the analysis of the files. As a result we created:

  • A Windows 7 virtual machine with MS Office and all possible updates and patches for all software present on the computer.
  • A Ubuntu 14.04 virtual machine with Wireschark.

The Ubuntu machine ip address was configured as gateway for the Windows machine. The DNS server IP address was set to an address outside of the local IP range.

These two virtual machines have been isolated from the outside world and their only network connection was with each other. As a result, all network activities from the Windows machine was visible on the Linux computer. From this point we were ready to start the analysis.


Email analysis

First of all, we opened all emails one by one in the Windows virtual machine and took a look at the headers of the messages.

Some of these messages had been forwarded without the SMTP headers from the client.

However, one of them was provided as it had been received. Thanks to that, we could identify the origin server of the message. We queried the RIPE base to identify the owner of the IP address of the server that sent the email. As a result we established that an engineering partner of our client had been infected and its servers are used to propagate malware. Some workstations have been compromised and the address books of the users have been used to propagate malicious files.


Malicious attachment

We first opened the attachment with an hexadecimal editor to identify a MIME file. The last block of this file was a base64 text containing a MSO element.


A MIME file with a .doc extension

It was time for opening the suspicious doc files with MS Word.

Without any surprise, upon opening, the file requests the permission to run a macro. Also, the file is displayed as an empty page.

Empty file large

An empty file with disabled macros


We allowed the execution of the macro. This resulted in an error message regarding a missing resource. A quick check on the Ubuntu machine let us know that a DNS request to had been made. The missing resource was likely to be downloaded from the Internet.

Ubuntu wireshark

Windows machine tries to access


Missing ressource

A resource is missing in the macro execution


When we tried to switch to developer view, we encountered an obstacle: the VBA project was password protected.

Password protected macro


The VBA project is password protected

We saved the file with Word as a legacy doc file. This operation keeps the VBA macros and allows to reset the password protecting them:


  • After saving we opened the new file with an hexadecimal editor
  • We found the BPD ASCII string and changed it to BPx
  • Then we opened the file with Word and ignored all error messages
  • We started the VBA macro editor
  • Int the Tool menu, we chose the properties settings and in the protection tab we set up a new password
  • We saved and closed the file

DPB to DPx

The file has been converted to a proper doc format

Change password

A new password can be set


From this point, we reopened the file and were able to access the macros.

As we expected, we found obfuscated code, however, some parts of it were immediately understandable, especially the creation of the HTTP request to The macro downloads a script and creates a vb-script file in a temporary folder before executing it.

Evil macro

The URL is reversed and cut in different variables


Sadly, this is where it ends. We got two different links to but both of them were deleted when we tried to access them.


Summary of the attack method

This attack uses different ways to find its way to the target machine:

  1. Introduction through social engineering in the target organization: An urgent message with a scary topic and sent to people without any special IT knowledge.
  2. An empty file trying to execute a macro, since there is nothing in the document, one can be tented to execute the macro hopping this would give pieces of information. (if the protection is disabled, the macro would even run without asking permission)
  3. Downloading a payload from
  4. Saving the payload in a script file and executing it.


How to protect your organization

This is a typical attack method that used to be very popular in the 90’s. It is cheap to put in place, but also cheap to fight.

As in most cyber-security related case, people training is essential. If the people in your organization are taught how to identify a suspicious message, they will be able to report it to IT services.

Ensure that all machines and MS Office software are up to date with all latest patches.

I assume you already automatically virus scan all email attachments coming to your servers.

You should also ensure that no-one in the organization has changed the default behavior of MS Office products regarding macros:

With MS Office 2013 for Windows 7 and newer, the Microsoft provided Administrative templates allow to set the following options:

  • Scan encrypted macros in Word Open XML documents.
  • VBA Macro Notification Settings. This setting should be set to “Disable” to enforce the default behavior. If set to “Disable all without notification”, this setting prevent the execution of all macros.

Another solution would be to implement a signature strategy for macros inside your organization and to set the setting “VBA Macro Notification Settings” to “Disable all except digitally signed macros”. In this situation, the users will not be warned when a macro coming from a trusted source is executed but only when a macro from the outside of the environment is met. In this case, running an unsigned macro becomes an unusual task for users, raising their awareness level.

Other code execution settings (such as ActiveX) can be configured through GPO.

If is not used by your organization, you can consider forbidding access to this site from your networks.

Maybe we should consider getting back to the 90’s for real and get rid of emails to use a fax instead (and I would go back to playing Pokemon on my black and white huge Gameboy©)

At the time I am writing this article, according to virustotal, 18 over 57 tested antivirus are able to detect this particular file as dangerous. It is mostly detected in the generic class W97M.Downloader.

My point of view

Alright! This attack method is nothing new. It is like a 90’s pop star coming back. Sadly it seems that it can still be very effective.

To be actually evil these files need:

  • That the user opens a curious email.
  • That the user opens a curious attachment (named something like DFSGR43425FSQ.doc) of the email.
  • Allows the execution of macros in the most suspect email in the universe…

People training is, once again, the key element of the defense strategy against this attack.

There are a few things we do not know:

  • Is this attack targeted or if it is part of a vast automated campaign?
  • What is the nature of the payload the macro tries to download? The Pastebin links were not working anymore when we tried them.
  • Who is responsible for this attack?

Also our analysis was limited because we did not have access to the proxy logs of our clients. Some useful information regarding a possible infection might be found there.

Tags: , , , , , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.