Word document danger installs a keylogger

There’s a new type of infected Office document that can bypass some protections and trick people into installing a keylogger on their computer.

A keylogger is software that records each keypress and send it to a hacker.  They can use that info to get your login details for many sites or software.

What’s new is the way the Office document is infected.  It’s an Office document (an old-style .doc in the example) which appears to have no macros.  The lack of macros might fool some AV software into thinking the document is OK.


Beware any document which prompts you to open install or change settings to make it work.

We’ve seen tricks like this before.  Word documents which tell you to change a security setting to reveal the contents – don’t do it!  Office will prompt you in a yellow alert bar if some action is suggested so any message in the document itself is not necessary.

This is another case of an infected .doc file — as a general rule ignore .doc files (and .xls, .ppt or any of the old 3 character extension Office documents.)

The Hacked Office Document

When you open the document, it has a very sincere looking, but fake, prompt to install Silverlight.  Silverlight is a now obsolete Microsoft technology.

Source: Proofpoint.

In fact it’s a ‘Package Shell Object’ which contains a Visual Basic Script.  Clicking on the ‘install’ image actually runs the script which then downloads and installed a keylogger program.

The current version of this hack doesn’t work because the keylogger program has been removed from the external site hardcoded in the script.  But that might change in a future attempt.

If the keylogger is installed, it tracks your keystrokes then emails reports.  A password recovery tool is included to bypass Windows attempts to hide passwords from other software.

Proofpoint has a good explanation (better than most) which goes into detail of how the hack works.