Macro malware

What is macro malware?

Macros are a legitimate way to automate some common tasks in Microsoft Office. However, malware can also use this functionality to download threats onto your PC.

Macro malware usually hides in Microsoft Word or Microsoft Excel documents. These malicious documents are sent as spam email attachments, or inside ZIP files attached to spam emails. They use files names designed to entice you into opening them. Some examples of the spam emails used to spread macro malware are shown below:

Spam email payment
Spam email payment
Spam email payment

Some other attachment names we have seen imitate invoices, receipts, and other important documents, for example:

  • case number.doc
  • e-ticket_79010838.doc
  • fax_msg896-599-5459.doc
  • invoice_723961.doc
  • legal_complaint.doc
  • logmein_coupon.doc
  • receipt_3458934.doc

Macro malware was fairly common several years ago because macros ran automatically whenever you opened a document.

However, in recent versions of Microsoft Office, macros are disabled by default. This means malware authors need to convince you to turn on macros so that their malware can run. They do this by showing you fake warnings when you open a malicious document. Some examples of this are shown below:

Enable macro incorrect encoding
Enable macro new Office version
Enable macro VBS

If you follow these prompts and enable macros, the malware can run. We have seen macro malware download threats from the following families:

Preventing macro malware infection

Stop macros running on your PC

Check if macros are disabled in your Microsoft Office applications. In enterprises, your system administrator can set the default setting for macros.

Don’t open suspicious emails

If you get an email from someone you don’t know, or an invoice for something you don’t remember buying, delete it. Spam emails are the main way macro malware spreads.

You can also:

Find out more

There is more information about macro malware and how to prevent it in enterprise environments in our July Threat Intelligence Report.

You can also read more about in the descriptions for the prevalent macro malware families: Adnel, Bartallex, and Donoff.

Latest news