Debunking hoaxes and exposing scams since 2003!

Jump To: Example    Detailed Analysis   References

Macro Virus Threat Returns - Beware Emails With Malicious Word Attachments

Jump To: Example    Detailed Analysis   References


Unsolicited emails with attached 'invoice' or 'payment' Microsoft Word documents ask users to enable Macros to view document contents.

word macro malware
© alexskopje

Brief Analysis

The attached Word documents contain malicious macros that may download malware. The messages may claim that macros must be enabled for security reasons or so that information can be correctly displayed. Do not enable macros if prompted to do so via one of these emails. Macro viruses have not been a significant security threat for years but are currently making a comeback.



Bookmark and Share


Hello [email address removed],   
The interest rate will be changed next month.
Statistics in the file Doc.

Hello [Email address removed]
Documentation is sent to you for your leadership.
Information is in Doc file.     

Detailed Analysis

'Invoice' and 'Payment' Emails Contain Malicious Word Attachments

Users have recently reported receiving brief email messages like the example shown above. The emails include Microsoft Word documents with various names pertaining to supposed invoices or payments.

The rather vague messages are obviously designed to trick recipients into opening the attached files in the hope of getting more information.

Documents Instruct Users to Enable Macros

However, when users attempt to open the attached documents, they will receive a message asking if they wish to enable macros to see the content (Unless they have enabled macros previously).

If they enable macros as requested, a blank Word document will be displayed.

Other versions may display some content that claims that users should enable macros to enhance security, gain access to the full document, 'unblur' content, or get a password to unlock the remainder of the document.

But alas, enabling macros may result in malware being downloaded to the user's computer

Malicious Macros Once Again a Security Threat

For those that may not be aware, a macro is a set of commands and instructions that can be collected as a single command in order to quickly and automatically accomplish a task.

Complex macros can be created using VBA (Visual Basic for Applications), and can be very helpful in some workflows.

But malicious VBA macros can also be created and distributed. In years gone by, macro viruses were common computer security threats. But, for the last several years, they have been much less significant due to the fact that later versions of Microsoft Office disabled macros by default and implemented other security measures.

However, criminals have apparently realized that many computer users will have forgotten about or have no knowledge of macro threats. Thus, malicious macros are again being used to spread malware.  An article about the resurgence on Virus Bulletin notes:

In the past five years, macro malware could be considered practically extinct – thanks mostly to the security improvements introduced into Microsoft Office products. However, in recent months, a resurgence of malicious VBA macros has been observed – this time, not self-replicating viruses, but simple downloader trojan codes.

In modern incarnations of the threat, criminals do not try to subvert in-built security systems but use simple social engineering techniques to get users to allow the macros to run. The criminals rely on the curiosity of recipients who may proceed without due caution in the hope of finally viewing the promised document content.

Safest to Leave Macros Disabled

Unless you have a compelling reason, you would be best to leave macros disabled by default. And do not believe any message that claims that you must enable macros to view or interact with Microsoft Office documents.



Bookmark and Share

word macro malware


Last updated: August 4, 2015
First published: July 24, 2014
By Brett M. Christensen
About Hoax-Slayer

Remember macro viruses? Infected Word and Excel files? They're back...
article about the resurgence