Banking Malware Delivered via Macro in PDF Embedded Word Document

Delivering banking malware through Microsoft Word documents has been a less common method. However, it is currently being used for spreading malicious macros and PDF files in a single item — Avast Experts.

Researchers at Avast have identified that the previously less common method of spreading banking malware has suddenly been increased. They further noted that this method has evolved and it now embeds Microsoft Word documents into a PDF file.

The email claims to provide financial details embedded in an attached PDF. Actually this is a rigged document containing a JavaScript code and the DOC file comprising of the macro containing the nefarious commands.

After the user launches the supposedly innocuous PDF, the DOC is dropped and executed with the JavaScript. Still, the user will need to activate support for macros.

Avast’s Jan Širmer says: “Inside the DOC file we found malicious macro code, which users must activate, as the code is disabled by Microsoft Office by default. The code obfuscates DOC files by creating new documents with unique methods names, variable names, and URLs, making it difficult to detect the malicious files.”

While analyzing the macro, researchers discovered that it linked to URLs which were unique for every sample of the malware, a version of Dridex banking Trojan that progressed from the infamous Zeus.

The objective behind stealing the credentials is to access bank accounts and/or the Google and Microsoft services. Banks targeted include Santander that operates across the Northeastern part in the US and a reputable financial institution in Ireland the Ulster.

Avast Researchers recommend that only the latest versions of software products should be run on computers. Moreover, users must pay attention to suspicious emails sent from unknown people/sources. If an email claims to contain financial information, it is important to verify the sender prior to opening the document.

When the PDF file was scanned 34 / 55 antivirus softwares detected that it’s infected with malware:

PDF virustotal


When the DOC file was scanned 25 / 57 antivirus softwares detected that it’s infected with malware:

DOC virustotal


When the PDF file was scanned 34 / 55 antivirus softwares detected that it’s infected with malware:

PE virustotal


So be careful while opening any email that comes with attachments. If you have received any such email contact us and we will get the sender blocked.



Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.