Pierluigi Paganini January 29, 2015

Experts at Bitdefender have discovered a spam campaign that tricks antispam filters by relying on macros in Empty Word Documents.

Security experts at BitDefender observed a new tactic adopted by spammers that rely on emails with an empty Word document in the attachment to bypass anti-spam filters.

The social engineering strategy adopted by spammers to lure victims into open the Word document is quite common, the documents pretend to relay financial information like invoice, banking informative or bill. Unfortunately, the document is empty and only includes a malicious macro used to compromise the victim’s machine.

“For a few days, cybercriminals have sent targeted e-mails to management departments – other departments may receive it too. The e-mails look like a tax return, a remittance or some kind of bill from a bank, and carry a Microsoft Word (.doc) or Excel (.xls) attachment. The e-mail isn’t stopped by antispam filters because the file itself is clean – and how could it be dangerous? It’s empty!” reports a blog post published by Bitdefender.

Experts explained that this spam campaign served more than 7,000 emails in just one day, meanwhile recipients were mostly in Italy, France, US, UK, Australia, Canada and Germany.

A macro is a series of commands and instructions that could be grouped in a single command to accomplish frequently used tasks automatically.

In the recent months, the experts at MMPC have observed a significant increase in enable-macros based malware, the most active codes include Adnel and Tarbir.

Criminal gangs could use macros to instruct victim’s machine into download code from a remote location and execute any kind of malware, for this reason Microsoft made the feature inactive by default. Every time a user enable the macro, the office application displays user a message to inform about associated risks.
Security researchers at Bitdefender have detected a spam campaign that relies on documents with malicious macros to deliver malware from a remote location.

The macro code included in the empty emails is obfuscated to evade detection and researchers at Bitdefender confirmed that message used in this particular spam campaign always reach the inbox folder because the Word document does not contain any text.

Avoiding infection is simple, do not enable macros embedded in any incoming Office document.

Pierluigi Paganini

(Security Affairs – Office, Spam)