Word document danger installs a keylogger

There’s a new type of infected Office document that can bypass some protections and trick people into installing a keylogger on their computer.

A keylogger is software that records each keypress and send it to a hacker.  They can use that info to get your login details for many sites or software.

What’s new is the way the Office document is infected.  It’s an Office document (an old-style .doc in the example) which appears to have no macros.  The lack of macros might fool some AV software into thinking the document is OK.


Beware any document which prompts you to open install or change settings to make it work.

We’ve seen tricks like this before.  Word documents which tell you to change a security setting to reveal the contents – don’t do it!  Office will prompt you in a yellow alert bar if some action is suggested so any message in the document itself is not necessary.

Windows 10 from people 'in the know'

A detailed and independent look at Windows 10, especially written for the many people who use Microsoft Office.

Fully up-to-date with coverage of the Anniversary 2016 major update of Windows 10.

This 670 page book shows you important features and details for all serious Windows 10 users.

This is another case of an infected .doc file — as a general rule ignore .doc files (and .xls, .ppt or any of the old 3 character extension Office documents.)

The Hacked Office Document

When you open the document, it has a very sincere looking, but fake, prompt to install Silverlight.  Silverlight is a now obsolete Microsoft technology.

Source: Proofpoint.

In fact it’s a ‘Package Shell Object’ which contains a Visual Basic Script.  Clicking on the ‘install’ image actually runs the script which then downloads and installed a keylogger program.

The current version of this hack doesn’t work because the keylogger program has been removed from the external site hardcoded in the script.  But that might change in a future attempt.

If the keylogger is installed, it tracks your keystrokes then emails reports.  A password recovery tool is included to bypass Windows attempts to hide passwords from other software.

Proofpoint has a good explanation (better than most) which goes into detail of how the hack works.