Spam campaign relies on macros embedded in empty Word documents

Experts at Bitdefender have discovered a spam campaign that tricks antispam filters by relying on macros in Empty Word Documents.

Security experts at BitDefender observed a new tactic adopted by spammers that rely on emails with an empty Word document in the attachment to bypass anti-spam filters.

The social engineering strategy adopted by spammers to lure victims into open the Word document is quite common, the documents pretend to relay financial information like invoice, banking informative or bill. Unfortunately, the document is empty and only includes a malicious macro used to compromise the victim’s machine.

“For a few days, cybercriminals have sent targeted e-mails to management departments – other departments may receive it too. The e-mails look like a tax return, a remittance or some kind of bill from a bank, and carry a Microsoft Word (.doc) or Excel (.xls) attachment. The e-mail isn’t stopped by antispam filters because the file itself is clean – and how could it be dangerous? It’s empty!” reports a blog post published by Bitdefender.

Experts explained that this spam campaign served more than 7,000 emails in just one day, meanwhile recipients were mostly in Italy, France, US, UK, Australia, Canada and Germany.

A macro is a series of commands and instructions that could be grouped in a single command to accomplish frequently used tasks automatically.

In the recent months, the experts at MMPC have observed a significant increase in enable-macros based malware, the most active codes include Adnel and Tarbir.

Criminal gangs could use macros to instruct victim’s machine into download code from a remote location and execute any kind of malware, for this reason Microsoft made the feature inactive by default. Every time a user enable the macro, the office application displays user a message to inform about associated risks.
Security researchers at Bitdefender have detected a spam campaign that relies on documents with malicious macros to deliver malware from a remote location.

The macro code included in the empty emails is obfuscated to evade detection and researchers at Bitdefender confirmed that message used in this particular spam campaign always reach the inbox folder because the Word document does not contain any text.

Avoiding infection is simple, do not enable macros embedded in any incoming Office document.

Pierluigi Paganini

(Security Affairs – Office, Spam)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.