Everyone needs to identify malicious attachments that are widely used in phishing emails to spread malware in order to remain secure online.
Threat actors create spam campaigns that claim to be invoices, invitations, payment information, shipping information, eFaxes, voicemails, and more while spreading malware. Malicious Word and Excel attachments or links to them are included in these emails that, when opened and macros are activated, will install malware on a device.
However, Office needs you to click on the ‘Allow Editing’ or ‘Enable Information’ buttons before Word or Excel executes macros in a text, which you should never do.
Never click Enable Content on attachments you receive
The malware distributors build Word and Excel documents containing text and images to trick users into clicking these buttons, saying that there is a problem showing the document. Recipients are then prompted to click ‘Enable Content’ or ‘Enable Editing’ to correctly view the contents.
‘Document templates’ are the mixture of text and photos in these malicious attachments.
Below are numerous document models that were used for some of the more common malware infections in the spam campaigns.
It should be noted that different malware can also be used for these document models compared to what is associated below. In addition, this is a sample of the more popular templates, but there are several others out there.
BazarLoader
BazarLoader is a malware created by the same community behind the TrickBot Trojan for enterprise-targeting. Threat actors use BazarLoader / BazarBackdoor when installed to access your device remotely, which is then used to compromise the remainder of your network.
It is common for threat actors to eventually deploy the Ryuk ransomware to encrypt all of the devices on a network when a network has been infected with BazarLoader.
Phishing emails distributed via phishing emails by BazarBackdoor usually contain links to suspected Word or Excel documents that are hosted on Google Docs and Google Sheets.
However, these Google Docs records claim to have an issue and prompt you to download the text. In fact, this download is an executable which, as shown below, installs BazarLoader.
BazarLoader: Fake Google docs hosted attachment
Dridex
Dridex was first spotted in 2014 as an advanced and modular banking trojan and is continually updated.
Dridex will download various modules when infected, which can be used to steal passwords, provide a computer with remote access, or perform other malicious activities.
It usually contributes to the deployment of BitPaymer or Dridex ransomware attacks as Dridex exploits networks.
It is also assumed that another ransomware known as WastedLocker is linked to Dridex, but these evaluations do not agree with one cybersecurity firm.
The Dridex gang tends to use more stylized document templates that show tiny or obfuscated content and prompt you to click Enable Content to see it better, unlike other malware distribution campaigns.
For example, the template below states that the document was created in an earlier version of Microsoft Office Word, and shows a hard-to-read document under it.
Dridex: Created in an earlier version of Word
Dridex also uses more stylized templates that claim to be DHL and UPS shipping information.
Dridex: Fake DHL shipping information
Finally, Dridex can display tiny payment invoices that are difficult to read, causing you to press ‘Allow Editing’ to view them correctly.
Dridex: Fake invoice from Intuit
Dridex likes to use images of embedded documents with business logos and letterheads to trick users into allowing macros, as you can see from the examples above.
Emotet
Emotet is the most widely distributed malware containing malicious Word or Excel documents via spam emails. When corrupted, Emotet can snatch the email of a victim and use the corrupted PC to spew out more spam to worldwide recipients.
Eventually, users infected with Emotet would be further infected with Trojans like TrickBot and QakBot. These two Trojans are used to steal passwords, cookies, data, and contribute to the network-wide compromise of an organization.
Ultimately, a network would possibly be impacted by a ransomware attack from Ryuk or Conti if infected with TrickBot. For those impacted by QakBot, the ProLock ransomware can hit them.
Emotet does not use photos of real documents in their paper templates, unlike Dridex. Instead, they use a wide variety of templates that show an alert box that it is not possible to display the document properly and that users need to press ‘Allow Material’ to read it.
The ‘Red Dawn’ template shown below, for instance, states that “This document is safe,” and then prompts you to read it by allowing content.
Dridex: “This document is protected” template
This next template pretends that as it was created on a ‘iOS device,’ it could not be opened correctly.
Emotet: Created on an iOS device
Another states that the document was created on ‘Windows 10 Mobile,’ as Windows 10 Mobile has been discontinued for some time, which is a strange message.
Emotet: Created on Windows 10 Mobile
The next template pretends that the document is in ‘Safe View,’ and in order to see it properly, a user needs to press ‘Allow Editing.’
Emotet: Protected view
The next template is a little more interesting as it advises users to accept the license agreement from Microsoft before the document can be accessed.
Emotet: Accept the license agreement
Another interesting template pretends to be a Microsoft Office Activation Wizard that prompts users to finish activating Office with ‘Enable Editing.’
Emotet: Office Activation Wizard
QakBot
QakBot, or QBot, is a banking trojan that spreads to companies , usually via phishing campaigns that deliver malicious Microsoft Word documents.
QakBot is a modular Trojan that offers the ability to steal banking data, install other malware, or provide an infected machine with remote access.
Like other trojans in this post, QakBot has also partnered with a ransomware infection called ProLock that is typically the final payload of an attack.
Compared to Emotet, QakBot campaigns prefer to use more stylized document models. As shown below, the most common template that QakBot spam campaigns use pretends to be from DocuSign.
QakBot: DocuSign template
Other templates include those that pretend to be from Microsoft Defender or, like the one below, a Word update and activation screen.
QakBot: Word update and activation error
Do not open these executable attachments
Finally, attachments ending with .vbs, .js, .exe, .ps1, .jar, .bat, .com, or .scr extensions should never be opened, since they can all be used to execute commands on a computer.
As most email services block “executable” attachments, like Office and Gmail, malware distributors will send them to password-protected archives and include the password in the email.
The executable attachment helps this technique to circumvent email protection gateways and enter the intended recipient.
JAR attachment
Unfortunately, Microsoft chose to hide file extensions by default, which allow threat actors to trick users into running unsafe files. Because of this, we strongly recommends that all users of Windows allow file extensions to be displayed.
If you receive an email that contains one of these types of executable files, it is almost certainly malicious and should be removed immediately.