Banking Malware Delivered via Macro in PDF Embedded Word Document

Delivering banking malware through Microsoft Word documents has been a less common method. However, it is currently being used for spreading malicious macros and PDF files in a single item — Avast Experts.

Researchers at Avast have identified that the previously less common method of spreading banking malware has suddenly been increased. They further noted that this method has evolved and it now embeds Microsoft Word documents into a PDF file.

The email claims to provide financial details embedded in an attached PDF. Actually, this is a rigged document containing a JavaScript code and the DOC file comprising of the macro containing the nefarious commands.

After the user launches the supposedly innocuous PDF, the DOC is dropped and executed with the JavaScript. Still, the user will need to activate support for macros.

Avast’s Jan Širmer says: “Inside the DOC file we found the malicious macro code, which users must activate, as the code is disabled by Microsoft Office by default. The code obfuscates DOC files by creating new documents with unique methods names, variable names, and URLs, making it difficult to detect the malicious files.”

While analyzing the macro, researchers discovered that it linked to URLs which were unique for every sample of the malware, a version of Dridex banking Trojan that progressed from the infamous Zeus.

The objective behind stealing the credentials is to access bank accounts and/or the Google and Microsoft services. Banks targeted include Santander that operates across the Northeastern part in the US and a reputable financial institution in Ireland the Ulster.

Avast Researchers recommend that only the latest versions of software products should be run on computers. Moreover, users must pay attention to suspicious emails sent from unknown people/sources. If an email claims to contain financial information, it is important to verify the sender prior to opening the document.

When the PDF file was scanned 34 / 55 antivirus software detected that it’s infected with malware:

PDF VirusTotal


When the DOC file was scanned 25 / 57 antivirus software detected that it’s infected with malware:

DOC VirusTotal


When the PDF file was scanned 34 / 55 antivirus software detected that it’s infected with malware:

PE VirusTotal


So be careful while opening any email that comes with attachments. If you have received any such email contact us and we will get the sender blocked.

Related Posts