Beware what's inside an Office document

Office for Mere Mortals
Your beginners guide to the secrets of Microsoft Office
Invalid email address
Tips and help for Word, Excel, PowerPoint and Outlook from Microsoft Office experts.  Give it a try. You can unsubscribe at any time.  Office for Mere Mortals has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy

Microsoft has released details of a new way Office documents can be used to infect your computer.  The documents can contain disguised OLE objects which are the real danger.

We’ve often said that ‘new’ Office documents (.docx .xlsx etc) are safer than their .doc etc predecessors.  That’s because the new ‘.???x’ files won’t run VBA code.

But hackers are always looking for ways to trick us and they’ve found one by adding a OLE object which carries the virus.   It takes more steps to run the virus code but people still fall for it.

Here’s how this particular trick works and then we’ll look at what should make you wary about opening emails or documents like this.

In this case, a document arrives via email that pretends to be an invoice.

beware whats inside an office document 10401 - Beware what's inside an Office document

Source: Microsoft plus our cropping

Open the .docx document and you’ll see an innocent looking ‘picture’ in the document with a note in German ““To see a receipt, click twice on the screen.

beware whats inside an office document 10402 - Beware what's inside an Office document

Source: Microsoft plus our cropping

Double-click on the item and you’ll get a security warning.

beware whats inside an office document 10403 - Beware what's inside an Office document

Source: Microsoft plus our cropping

The Javascript  .js file is given an innocent looking name but the result is the same … an infected computer.

The Microsoft post goes into some detail about what Trojan:JS/Certor.A does.  It has its own root certificate which looks very sincere but allows the hackers to track even your ‘secure’ HTTPS traffic.

It changes your proxy server settings so that all your web browsing goes via a hackers computer for snooping.  The virus also installs Tor software to hide the hackers computers.

What to look for

There are a few ‘red flags’ that should alert any wary computer user:

  • A bland, almost blank email with no details but an attachment.
  • Yes, the attachment is a .docx file but otherwise the message has all the hallmarks of a scam email.
  • Open the document but instead of opening fully in Word, use the Outlook preview pane.
  • In the document there’s nothing but a request to open yet another item. That’s very unusual so – red flag!
  • Clicking on the object triggers a security warning – BIG red flag!!!!!!!!
  • More tech savvy users will see that it’s Javascript code inside a Word document.  That’s not common or likely.

Happily, this particular virus is known and should be caught by any decent anti-virus software or spam filter.

But the best defence is you … the wary computer user.

subs profile e1563205311409 - Beware what's inside an Office document
Latest news & secrets of Microsoft Office

Microsoft Office experts give you tips and help for Word, Excel, PowerPoint and Outlook.

Give it a try. You can unsubscribe at any time.  Office Watch has been running for over 20 years, we've never, ever revealed or sold subscriber details.  Privacy policy
Invalid email address