Annamaria Montagnese 17 March 2016 17:17:48 AEDT 3 MIN READ

New Macro Word Malware Email Scams Hidden in Zip File Attachments

New tactics to bypass traditional anti-virus defences are ever developing, but this latest run shows a series of varying aspects to each email.

The emails are not purporting to be from any big brand or well-known company, but rather appear to be from an individual, not necessarily known to the recipient. These emails are dangerous to businesses as they contain Macro enabled Word documents, hidden within .zip file attachments, which, when executed, will install malware to the machine.

Here is sample of one of the many variants of this latest email run containing Macro enabled Word Documents:


The first and last names of the email recipient have been obfuscated for privacy reasons.

Each email has a different sender name and reply email address. The filename of the attachment in the email contains the first and last name of the recipient also. These are all attempts to try and bypass anti-virus protection and delay responses by AV vendors to write patches for their software.

The subject line in this particular sample includes the recipients first and last name, then asks ‘are you aware of this?’ Cyber criminals use tactics to entice email recipients to take action, open, click download or simply reply to emails in order to handover information or funds to the perpetrators.

How do cyber criminals deliver malware via Macro enabled Word documents?

Malware can be delivered via email using a number of methods. In this instance, the cyber criminals have simply attached a Microsoft Word document and hidden it inside a .zip file. This is normal and not considered malicious to send files within a .zip. Once the Word document is opened however, the criminals have set a Macro that requires the recipient to ‘enable’ it to run. This Macro acts as a dropper to contact a remote server to then download the executable file.

Here is a sample of the document asking for the Macro to be enabled:


Ultimately, there is no actual malware being delivered via email, and the email recipient is allowing a Macro to drop the file to the device.

Is it dangerous if I run/enable the Macro? What could happen to me?

By enabling these Macros, email recipients are allowing criminals to automatically install executable files, such as Trojans or Keyloggers.

A Keylogger is a type of spyware that can watch and record your keystrokes. They can see what you write in an email, what passwords you enter or any other information you type.

Trojans sit quietly in the background and will take actions not authorised by the user, such as modifying, stealing, copying or even deleting data.

These types of malware are most dangerous because the user would not notice they are running in the background until such time they are made aware – this can sometimes be months!

How can I protect myself from these types of email scams?

To reduce the risk of being tricked by one of these scams, you should immediately delete any emails that:

  • Seem suspicious and ask you to open or download files that you were not expecting
  • Contain Macro enabled Word Documents and require you to enable the Macro
  • Ask you to click on a link within the email body in order to access their website. If unsure call the company/person directly and ask whether the email is legitimate

Microsoft Word has disabled VBA macros by default in newer editions. Don’t fall for the attempt to convince you into enabling macros for an unexpected attachment.

We recommend that you share these tips with your staff to make them aware of these campaigns. By employing a cloud-based email and web filtering solution like MailGuard, you’ll also reduce the risk of these new variants of phishing from entering your network in the first place.

Keep up to date on the latest email scams by subscribing to MailGuard’s weekly update or follow us on social media.

Keep Informed with Weekly Updates

^ Back to Top